Secure VLAN-Based LAN for Afghan Global Insurance

‫ برای شرکت بیمه افغان گلوبل‬VLAN ‫طراحی شبکه محلی امن مبتنی بر‬

By

Mohammed Maiwand (Hamdard)

(*********)

Bachelor of Computer Science

Under the Supervision of

Mr. Ajmal Rahmati

Dunya University
Kucheh Golfroshi, Kabul Afghanistan

Spring, 2025

i
 Dunya University

Secure VLAN-Based LAN for Afghan Global Insurance

‫ برای شرکت بیمه افغان گلوبل‬VLAN ‫طراحی شبکه محلی امن مبتنی بر‬

A Thesis Presented to
Dunya University

In partial fulfillment
of the requirement for the degree of

Bachelor of Computer Science

By

Mohammed Maiwand (Hamdard)

(*********)

Spring, 2025

ii
 Final Approval
The undersigned have examined the thesis entitled ‘Secure VLAN-Based LAN for Afghan
Global Insurance, presented by Mohammed Maiwand, a candidate for the degree of BCS
(Bachelor of Computer Science) and hereby certify that it is worthy of acceptance.

_______________________ ___________________________

Signature &Date Supervisor

________________________ ____________________________

Signature & Date Co-Supervisor (Where Required)

________________________ ____________________________

Signature & Date Dean of Faculty

iii
 DECLARATION

I, Mohammed Maiwand (Hamdard), hereby declare that the work presented in this thesis
entitled "Secure VLAN-Based LAN for Afghan Global Insurance" has been carried out by
me during the prescribed period of study under the supervision of Mr. Ajmal Rahmati.
I also declare that I have not taken any material from any source without proper citation
and acknowledgment. I affirm that the level of similarity (plagiarism) in this thesis is within
the acceptable academic range set by the institution. If any violation of university research
rules is found, I will be fully responsible and accept any disciplinary action as per
institutional policy.

_____________________
Mohammed Maiwand (Hamdard)
(*********)

iv
 CERTIFICATE

This is to certify that the thesis work entitled "Secure VLAN-Based LAN for Afghan
Global Insurance" submitted by Mohammed Maiwand (Hamdard), Registration Number:
(*****) is a Bachelor's project report carried out under my supervision and guidance in
partial fulfillment of the requirements for the degree of Bachelor of Computer Science.
The work embodied in this thesis is original and has not been submitted elsewhere for any
degree or diploma. The research work and findings are consistent with the academic
standards of Dunya University.

_____________________
Mr. Ajmal Rahmati
Supervisor
Assistant Professor
Computer Science Faculty
Dunya University

v
 ACKNOWLEDGMENTS

The successful completion of this thesis titled "Secure VLAN-Based LAN for Afghan
Global Insurance" would not have been possible without the support, guidance, and
encouragement of many individuals, to whom I am deeply grateful.
First and foremost, I would like to express my sincere appreciation to my supervisor, Mr.
Ajmal Rahmati, Assistant Professor at Dunya University, for his continuous guidance,
expert knowledge, and constructive feedback throughout the course of this project. His
encouragement and valuable insights helped me stay focused and confident during each
phase of the thesis.
I would also like to extend my gratitude to the Dean of Computer Science Faculty, Mr.
Ajmal Rahmati, for fostering a supportive academic environment and providing the
resources necessary for research and innovation.
My heartfelt thanks go to my family, especially my parents, for their unconditional love,
encouragement, and patience during this journey. Their belief in me has always been a
source of strength.
Special thanks to my classmates and friends who shared their knowledge, offered moral
support, and contributed to technical discussions that enriched the quality of this work.
Lastly, I am thankful to Afghan Global Insurance for providing the practical context and
inspiration for this project. Without their structure as a case study, this project would not
have been as meaningful or impactful.
This work is a collective achievement, and I dedicate it to everyone who believed in me
and supported me along the way.

Mohammed Maiwand (Hamdard)

Registration Number: (*******)

vi
 ABSTRACT

In today’s digital era, insurance companies handle highly sensitive data and rely on secure,
scalable, and efficient network infrastructures to ensure operational continuity and data
protection. Afghan Global Insurance, like many institutions in developing regions, has
been operating on a traditional flat LAN architecture, which presents numerous challenges
including poor performance, lack of access control, and high vulnerability to internal and
external threats. This thesis presents the design and implementation of a secure VLAN-
based Local Area Network tailored for Afghan Global Insurance. The proposed solution
includes logical segmentation of departments using VLANs, inter-VLAN communication
via a Layer 3 router, and enhanced security mechanisms such as Access Control Lists
(ACLs), DHCP Snooping, Port Security, and Dynamic ARP Inspection. The methodology
involved network requirement analysis, IP addressing with subnetting, topological and
flow-based design, and full simulation using Cisco Packet Tracer. The network
implementation achieved improved data protection, reduced broadcast traffic, enhanced
manageability, and future scalability. This project not only resolves existing technical
limitations but also provides a practical and replicable model for other organizations across
Afghanistan aiming to modernize their network infrastructure in a cost-effective and
standards-based manner.

vii
 Table of Contents
Chapter Page
DECLARATION ......................................................................................................................................... IV

CERTIFICATE ............................................................................................................................................. V

ACKNOWLEDGMENTS ............................................................................................................................. VI

ABSTRACT ..............................................................................................................................................VII

CHAPTER I ................................................................................................................................................ 1

INTRODUCTION ........................................................................................................................................ 1

1.1 INTRODUCTION..........................................................................................................................................1
1.2 PROBLEM STATEMENT.................................................................................................................................1
1.3 OBJECTIVES OF THE STUDY ...........................................................................................................................2
1.4 SIGNIFICANCE OF THE STUDY ........................................................................................................................3
1.5 OBJECTIVE AND SCOPE OF THE PROJECT .........................................................................................................4
1.5.1 Objective of the Project .................................................................................................................4
1.5.2 Scope of the Project ......................................................................................................................5
1.6 STRUCTURE OF THE THESIS...........................................................................................................................6

CHAPTER II ............................................................................................................................................... 8

BACKGROUND .......................................................................................................................................... 8

2.1 BASIC CONCEPTS OF LAN NETWORKS ............................................................................................................8

2.2 PROBLEMS OF FLAT LAN ARCHITECTURE ........................................................................................................8
2.3 DEFINITION AND ADVANTAGES OF VLAN ........................................................................................................8
2.4 PRACTICAL EXAMPLES AND USE CASES IN ORGANIZATIONS.................................................................................9
2.5 NETWORK LAYERING (ACCESS, DISTRIBUTION, CORE) .......................................................................................9

CHAPTER III ............................................................................................................................................ 10

PROBLEM DESCRIPTION ......................................................................................................................... 10

3.1 CURRENT NETWORK STATUS AT AFGHAN GLOBAL INSURANCE...........................................................................10

3.2 LACK OF LOGICAL SEPARATION BETWEEN USERS ............................................................................................10
3.3 SECURITY RISKS, INCREASED BROADCAST, AND PERFORMANCE DEGRADATION .....................................................11
3.4 THE NEED FOR DESIGNING A VLAN-BASED LAN ...........................................................................................12
3.4.1. Enhanced Organizational Security .............................................................................................12
3.4.2. Better Traffic Control and Reduced Broadcast ...........................................................................13
3.4.3. Improved Scalability ...................................................................................................................13
3.4.4. Easier and More Flexible Network Management .......................................................................13
3.4.5. Compliance with International Standards ..................................................................................13

CHAPTER IV ............................................................................................................................................ 14

RELATED WORK ...................................................................................................................................... 14

4.1 REVIEW OF SCIENTIFIC RESOURCES ON VLAN AND NETWORK SECURITY .............................................................14

4.1.1 VLANs as a Security Mechanism .................................................................................................14

viii
 4.1.2 Network Segmentation in Best Practices and Standards ............................................................14
4.1.3 Technical Documentation and Vendor Recommendations ..........................................................15
4.1.4 Case Studies in Real-World Organizations ..................................................................................15
4.1.5 Relevance to Afghan Organizations ............................................................................................15
4.2 NETWORK THREATS AND THE NEED FOR SEGMENTATION .................................................................................15
4.2.1 Internal Threats ...........................................................................................................................16
4.2.2 External Threats ..........................................................................................................................16
4.2.3 Why Logical Segmentation Is an Effective Solution .....................................................................16
4.2.4 Segmentation as a Core Principle in International Standards .....................................................16
4.2.5 Operational Benefits of Segmentation ........................................................................................17
4.3 RECOMMENDATIONS FROM CISCO, IEEE, NIST, AND OTHER STANDARDS ...........................................................17
4.3.1 Cisco's Best Practices ...................................................................................................................17
4.3.2 IEEE Standards – 802.1Q and 802.1X ..........................................................................................18
4.3.3 NIST Guidelines – SP 800 Series...................................................................................................18
4.3.4 Other Industry Best Practices and Frameworks ..........................................................................18
4.4 COMPARISON OF METHODS AND INNOVATION IN THE CURRENT PROJECT............................................................19
4.4.1 Common Network Segmentation Approaches ............................................................................19
4.4.2 Position of the Current Project ....................................................................................................20
4.4.3 Added Value Compared to the Current Situation in Afghanistan ................................................20

CHAPTER V ............................................................................................................................................. 21

METHODOLOGY ..................................................................................................................................... 21

5.1 REQUIREMENT ANALYSIS ...........................................................................................................................21

5.1.1. Organizational Overview and Departmental Structure..............................................................21
5.1.2. Current Network Infrastructure Assessment ..............................................................................21
5.1.3. User and Device Inventory .........................................................................................................22
5.1.4. Network Usage and Performance Needs ...................................................................................22
5.1.5. Security and Compliance Considerations ...................................................................................22
5.1.6. Project Constraints .....................................................................................................................23
5.2 IP ADDRESSING AND SUBNETTING DESIGN (EXPANDED AND TECHNICAL VERSION)................................................23
5.2.1 Core Concepts Applied ................................................................................................................23
5.2.2 Advantages of This IP Design ......................................................................................................24
5.2.3 Simulation Results in Cisco Packet Tracer ....................................................................................25
5.3 PHYSICAL AND LOGICAL TOPOLOGY DESIGN ..................................................................................................25
5.3.1. Physical Topology Design ...........................................................................................................25
5.3.2. Logical Topology Design .............................................................................................................26
5.3.3. Benefits of Combined Topology ..................................................................................................27
5.4 VLAN, TRUNK, AND ACL CONFIGURATION ...................................................................................................28
5.4.1. VLAN Configuration....................................................................................................................28
5.4.2. Configuring Access Ports ............................................................................................................29
5.4.3. Trunk Port Configuration ............................................................................................................29
5.4.4. Inter-VLAN Routing Configuration..............................................................................................30
5.4.5. ACL Configuration for Access Control .........................................................................................30
5.4.6. Layer 2 Security Enhancements..................................................................................................31
5.5 IMPLEMENTATION OF LAYER 2 SECURITY FEATURES .........................................................................................32

ix
 5.5.1. Port Security ...............................................................................................................................32
5.5.2. DHCP Snooping ..........................................................................................................................32
5.5.3. Dynamic ARP Inspection (DAI) ...................................................................................................33
5.5.4. BPDU Guard ...............................................................................................................................33
5.5.5. Preventing VLAN Hopping ..........................................................................................................34
5.6 TESTING AND VALIDATION USING CISCO PACKET TRACER .................................................................................34
5.7 STAFF TRAINING AND PROJECT DOCUMENTATION HANDOVER...........................................................................36

CHPTAR VI .............................................................................................................................................. 39

PROJECT DESIGH .................................................................................................................................... 39

6.1 TOPOLOGICAL MODELS .............................................................................................................................39

6.2 FLOW-BASED MODELS .............................................................................................................................41
6.3 FUNCTIONAL MODELS ..............................................................................................................................43
6.4 NETWORK DIAGRAMS AND CHARTS .............................................................................................................44
6.5 EQUIPMENT LAYOUT, WIRELESS ACCESS, AND VLAN ALLOCATION ....................................................................46

CHAPTER VII ........................................................................................................................................... 49

PROJECT IMPLEMENTATION ................................................................................................................... 49

7.1 LIST OF HARDWARE AND SOFTWARE EQUIPMENT ...........................................................................................49

7.2 PHYSICAL INSTALLATION AND SETUP PROCESS ................................................................................................50
7.3 VLAN, ROUTER, AND SWITCH CONFIGURATION.............................................................................................51
7.4 ENABLING PORT SECURITY, DHCP SNOOPING, AND ACL.................................................................................52
7.4.1 Port Security ................................................................................................................................52
7.4.2 DHCP Snooping ...........................................................................................................................53
7.4.3 Access Control Lists (ACLs) ..........................................................................................................53
7.5 EMPLOYEE TRAINING ................................................................................................................................54
7.5.1 Training Objectives ......................................................................................................................54
7.5.2 Training Modules ........................................................................................................................54
7.5.3 Training Delivery Format .............................................................................................................55
7.6 PROJECT EXECUTION TIMELINE ...................................................................................................................55
7.7 PROJECT TIMELINE (6 WEEKS)....................................................................................................................55

CHAPTER VIII .......................................................................................................................................... 57

CONCLUSION .......................................................................................................................................... 57

8.1 PURPOSE AND PROBLEM SUMMARY ............................................................................................................57

8.2 ACHIEVEMENTS AND CONTRIBUTIONS ..........................................................................................................57
8.3 INTERPRETATION AND FINAL REFLECTIONS ....................................................................................................57
8.4 LIMITATIONS AND CONSTRAINTS .................................................................................................................58
8.5 RECOMMENDATIONS FOR FUTURE WORK .....................................................................................................58
8.6 FINAL REMARKS.......................................................................................................................................58
REFERENCES..............................................................................................................................................59

x
 LIST OF TABLES
Table 1 : List of department, users and devices ................................................................ 22
Table 2: vlan with chosen subnet ...................................................................................... 24
Table 3: final ip addressing ............................................................................................... 24
Table 4: describing of vlan design..................................................................................... 25
Table 5: vlan ip addressing after subnetting ...................................................................... 26
Table 6: vlans simple configuration of ip.......................................................................... 28
Table 7 : planning for internal IT training ......................................................................... 37
Table 8: necessary document for delivery ......................................................................... 38
Table 9: logical division of vlans ...................................................................................... 41
Table 10: advantages and limitation ................................................................................. 41
Table 11: Data Security Analysis ...................................................................................... 43
Table 12 Functions of different VLANs ............................................................................ 43
Table 13: assigning port for vlans ..................................................................................... 46
Table 14: all information about ip addressing ................................................................... 46
Table 15: physical place of devices and connection ......................................................... 47

xi
 LIST OF FIGURES

Figure 1: creating of vlan................................................................................................... 29

Figure 2: configuration of access port for vlan ................................................................. 29
Figure 3: declaring trunk port for vlans............................................................................. 30
Figure 4: creating communication between vlans ............................................................. 30
Figure 5: configuration of access list ................................................................................ 31
Figure 6: configuration of port security for vlans ............................................................. 31
Figure 7: Prevent unauthorized devices from connecting to switch ports ........................ 32
Figure 8: configuration of DHCP snooping ...................................................................... 33
Figure 9: configuration for only uplink is allowed to connect the network ...................... 33
Figure 10: configuration against the spanning tree attacks ............................................... 34
Figure 11: configuration for stopping jumping from one vlan to another ........................ 34
Figure 12: Physical layout of network ............................................................................... 40
Figure 13: configuration of layer 2 port security .............................................................. 52
Figure 14: configuration for keeping ports secure ............................................................ 53
Figure 15: creating an access list in router ........................................................................ 53

xii
 Chapter I

INTRODUCTION

1.1 Introduction
In the 21st century, Information and Communication Technology (ICT) has become one of the
most critical drivers of development and efficiency across various organizations and institutions.
Insurance companies, in particular, handle sensitive, confidential, and financial data and thus
require secure, reliable, and high-performance network infrastructures more than most other
entities. Managing customer data, issuing insurance policies, recording payments, and processing
claims all rely on networks that offer speed, security, and flexibility.
In many Afghan organizations, including insurance companies, traditional network structures are
still in use. These flat network designs, known as Flat LANs, place all users and devices within
the same broadcast domain, without any logical segmentation between departments or access
levels. This lack of separation not only increases security vulnerabilities but also causes challenges
in network management, performance optimization, and future scalability.
To address these challenges, Virtual Local Area Network (VLAN) technology has emerged as an
effective solution. VLANs allow users to be logically grouped based on their department or
function, even if they are connected to the same physical switch. This segmentation significantly
enhances network performance, reduces unnecessary traffic, and strengthens security by restricting
access to authorized resources only.
This project, titled "Secure VLAN-Based LAN for Afghan Global Insurance," aims to design and
implement a modern, secure, and scalable network architecture tailored to the needs of the
organization. The proposed structure utilizes VLAN technology along with essential security
features such as Access Control Lists (ACLs), Port Security, and DHCP Snooping to ensure
reliable and protected operations for all departments within the company.

1.2 Problem Statement

In today’s digital era, organizations — especially those operating in the financial and insurance
sectors — rely heavily on secure, stable, and efficient network infrastructures to process and
manage sensitive customer information. Despite this critical dependency, many organizations in
Afghanistan still utilize outdated flat network architectures in which all users and devices operate
within the same broadcast domain without logical segmentation or traffic isolation.

1
Afghan Global Insurance is one such organization currently facing this challenge. Its existing LAN
infrastructure lacks departmental separation, meaning that users from different divisions such as
IT, Finance, and Reception share the same network space. This lack of segmentation poses serious
risks, including:
• Increased vulnerability to internal and external attacks
• Higher likelihood of unauthorized access to confidential data
• Reduced network performance due to broadcast traffic
• Difficulty in enforcing access control and monitoring traffic flows
Without logical separation, a single compromised device could potentially expose the entire
network to cyber threats or data leakage. Moreover, network management becomes more complex
and less scalable, limiting the company’s ability to expand its infrastructure or integrate new
technologies.
To overcome these challenges, there is an urgent need to design and implement a VLAN-based
LAN that logically separates departments, enforces strict access policies, and supports both wired
and wireless devices. The new architecture must be secure, scalable, and tailored to the specific
operational needs of Afghan Global Insurance.
This project proposes a practical solution to transform the company’s traditional flat network into
a segmented and secure environment using VLANs, inter-VLAN routing, Access Control Lists
(ACLs), and additional Layer 2 security features. The goal is to enhance data protection, improve
operational efficiency, and prepare the infrastructure for future growth.

1.3 Objectives of the Study

The primary objective of this study is to design and implement a secure, VLAN-based Local Area
Network (LAN) architecture for Afghan Global Insurance — a network that effectively addresses
the organization’s requirements for security, traffic segmentation, resource control, and scalability.
Insurance companies like Afghan Global Insurance manage large volumes of sensitive data daily,
such as customer records, insurance policies, payment details, and confidential internal documents.
Therefore, it is crucial to establish a network infrastructure that protects these assets from
unauthorized access and internal or external threats.
The specific objectives of this study are as follows:
• Logical Segmentation of Departments: Assign dedicated VLANs to each department (e.g., IT,
Finance, HR, Reception) to isolate network traffic and prevent unauthorized cross-department
access.
• Secure Inter-VLAN Routing: Use a Layer 3 switch or router to manage traffic between VLANs
with tightly controlled access permissions.

2
• Implementation of Access Policies: Apply Access Control Lists (ACLs) to regulate inter-
VLAN communication according to organizational needs.
• Layer 2 Security Enhancements: Activate features such as DHCP Snooping, Port Security, and
BPDU Guard to protect against switch-level threats and attacks.
• Secure Wireless Access Integration: Integrate wireless access points into the VLAN structure,
ensuring that wireless users remain within their assigned security boundaries.
• Support for Scalability and Expansion: Design the network to allow easy integration of new
departments or branches in the future without requiring a full redesign.
By achieving these objectives, this project not only establishes a secure and reliable network
infrastructure for Afghan Global Insurance but also creates a replicable model that can be adopted
by other organizations and institutions across Afghanistan.

1.4 Significance of the Study

The significance of this study lies in its potential to enhance cybersecurity, optimize network
management, and strengthen the technical capacity of Afghan organizations. As organizations
across the globe increasingly rely on information technology—especially in financial, insurance,
and governmental sectors—the need for structured, secure, and scalable network infrastructures
has become more critical than ever.
Insurance companies, in particular, handle highly sensitive data such as client records, insurance
contracts, payment information, and claims reports. Any unauthorized access or data breach can
result in irreversible damage including financial loss, reputational harm, legal consequences, and
loss of client trust. In this context, the establishment of a secure and manageable network is not
merely an advantage but a necessity.
This study is significant in several key dimensions:

• Enhanced Data Security and Mitigation of Cyber Threats

Through the logical separation of users via VLANs, cross-departmental communication is limited,
significantly reducing the risk of lateral movement by intruders. The implementation of security
measures such as Access Control Lists (ACLs), Port Security, and DHCP Snooping enables precise
monitoring and control of traffic flow, making the network more resilient to both internal and
external threats.

• Improved Network Performance and Operational Efficiency

In traditional flat networks, all devices share the same broadcast domain, resulting in excessive
traffic and latency issues. VLANs help segment traffic, reduce unnecessary broadcast, and improve
the quality of service and data transmission speed across the network.

3
• Cost-Effective Network Modernization
One major advantage of VLAN technology is that it can be implemented on existing network
hardware without the need for expensive replacements. Given the limited budgets of many Afghan
organizations, this approach offers a practical and affordable solution for improving both network
security and structure.

• Scalability and Future-Readiness

The network design proposed in this project is built with scalability in mind. It allows for easy
integration of new departments or branches without requiring a complete redesign. This prepares
the organization for future growth while maintaining structural consistency.

• Educational and Model Value for Local Institutions

Beyond its technical benefits, this project can serve as an educational model for universities,
vocational institutes, and IT professionals in Afghanistan. The comprehensive documentation of
the design, configuration, and testing processes can be used as a local case study or training
reference in network security and infrastructure design.

• Socio-Economic Impact
Improving the cybersecurity posture of financial institutions such as insurance companies directly
contributes to increased customer trust, reduced losses from cyberattacks, and stronger public
reputation. Over the long term, such transformations can support national stability and economic
development.

1.5 Objective and Scope of the Project

In today's technology-driven world, organizations — especially those in the financial and
insurance sectors — require secure, scalable, and efficiently managed networks to safeguard their
critical data and support daily operations. Afghan Global Insurance, like many institutions in
developing countries, has been operating on a flat LAN architecture, which exposes the
organization to various security vulnerabilities and limits performance. This project seeks to
overcome these limitations by designing and implementing a secure VLAN-based LAN
architecture tailored to the organization’s structure and requirements.

1.5.1 Objective of the Project

The primary objective of this project is to:
• Develop a secure and logically segmented network using Virtual Local Area Network (VLAN)
technology.
• Assign each department within the organization its own VLAN to isolate traffic, improve
security, and streamline access control.

4
• Enable inter-VLAN communication through a Layer 3 device (router or Layer 3 switch),
strictly managed by Access Control Lists (ACLs).
• Enhance network security by implementing Layer 2 security measures such as:

o DHCP Snooping
o Port Security
o BPDU Guard
• Integrate wireless access points into the VLAN structure to support mobility and flexibility.
• Ensure that the designed network is scalable, allowing easy integration of future departments,
services, or remote branches.
The network will serve the following primary departments:

• Administration / IT
• Finance / Human Resources
• Customer Service / Reception

1.5.2 Scope of the Project

The scope of the project includes both the design and implementation phases. It covers:

• Requirement Gathering – Analyzing the current network setup, identifying limitations, and
defining technical requirements.

• Network Planning and Design – Creating IP addressing schemes using subnetting, defining
VLAN structures, and designing physical and logical topologies.

• Device Configuration – Setting up switches, routers, and access points with proper VLAN
tagging, trunk links, and ACLs.

• Security Implementation – Enabling Layer 2 security features and ensuring isolated and
protected traffic flow between departments.

• Simulation and Testing – Verifying network performance and functionality using tools like
Cisco Packet Tracer.

• Documentation – Creating detailed network documentation including diagrams, IP plans,

VLAN IDs, configurations, and security policies.

• User Training and Handover – Training IT staff to manage, troubleshoot, and expand the
network.

5
By accomplishing these objectives, the project aims to deliver a cost-effective, highly secure, and
technically sound LAN model for Afghan Global Insurance. Furthermore, the network design
serves as a reference model that can be replicated by other Afghan institutions facing similar
challenges in IT infrastructure development.
This project not only addresses the specific operational needs of Afghan Global Insurance but also
contributes to the broader goal of strengthening digital infrastructure in Afghanistan’s financial
sector.

1.6 Structure of the Thesis

This thesis consists of eight main chapters, each addressing a specific aspect of the design and
implementation process of a VLAN-based network for Afghan Global Insurance. The structure has
been carefully planned to ensure a logical and technical flow from conceptual foundations to
implementation and evaluation. A brief overview of each chapter is as follows:

• Chapter 1: Introduction
Introduces the general context of the project, outlines key challenges, defines the objectives and
scope, and presents the overall structure of the thesis.

• Chapter 2: Background
Covers the foundational concepts of LAN networking, the limitations of flat network structures,
an introduction to VLANs and their advantages, and real-world applications of VLANs in
enterprise environments. It also introduces the three-layer network model: Access, Distribution,
and Core.

• Chapter 3: Problem Description

Describes the current network state at Afghan Global Insurance, highlighting the lack of logical
segmentation, increased broadcast traffic, security vulnerabilities, and the need for a secure
VLAN-based redesign.

• Chapter 4: Related Work

Reviews existing literature, case studies in similar financial institutions, and best practice
recommendations from industry standards like Cisco, IEEE, and NIST for secure VLAN
implementation.

• Chapter 5: Methodology
Explains the step-by-step approach of the project, including requirement analysis, IP addressing
and subnetting, physical and logical topology design, VLAN and security configurations,
simulation with Cisco Packet Tracer, and staff training procedures.

6
• Chapter 6: Project Design
Presents various design models including topological, data-flow, and functional views of the
network. Network diagrams, charts, and equipment layout (including VLANs and wireless
coverage) are illustrated in this chapter.

• Chapter 7: Project Implementation

Details the real-world implementation process, including equipment installation, cable
management, device configuration, activation of security features, employee training, cost
analysis, and execution schedule.

• Chapter 8: Conclusion
Summarizes the project objectives and outcomes, evaluates the performance and security of the
new network, discusses scalability potential, and provides recommendations for future
improvements and research.
At the end of the thesis, a References section will include all cited works, followed by Appendices
that contain CLI commands, Packet Tracer screenshots, IP addressing plans, and configuration
tables, forming a complete technical documentation for future use.

7
 CHAPTER II

BACKGROUND

2.1 Basic Concepts of LAN Networks

A Local Area Network (LAN) is a network that connects a collection of computers, printers,
servers, and other devices within a limited geographical area, such as an office or company. The
primary goal of a LAN is to facilitate communication and resource sharing among users. In a
typical LAN, all devices are interconnected and exchange data via switches or hubs.
LANs play a crucial role in organizational performance, and a proper design can significantly
impact both security and efficiency. However, the traditional implementation of LANs is often flat,
which introduces several challenges in terms of security and management.

2.2 Problems of Flat LAN Architecture

In a flat network architecture, all devices reside in a single broadcast domain. This means that
every broadcast message is received by all devices on the network, leading to unnecessary traffic,
reduced network performance, and a larger attack surface for internal threats.
The main issues associated with flat networks include:
• Lack of logical separation between users and departments
• Increased risk of unauthorized access to sensitive data
• Inability to enforce effective control and security policies
• Difficulty in troubleshooting and managing the network
• Operational interference between different organizational units
In financial and insurance institutions, such network designs pose serious threats to customer data
confidentiality and internal operations.

2.3 Definition and Advantages of VLAN

A Virtual Local Area Network (VLAN) is a technology that enables the creation of logically
separated networks over a single physical infrastructure. With VLANs, devices can be grouped
based on role, department, or access level—even if they are physically connected to the same
switch.
Key advantages of VLANs include:

8
• Enhanced Security: Each VLAN acts as a separate network, restricting unauthorized access
across departments.
• Reduced Broadcast Traffic: Broadcast messages are confined within each VLAN, lowering
unnecessary traffic.
• Improved Management: Control and security policies can be implemented more effectively.
• Flexibility: Changes in organizational structure do not require physical rewiring.
• Scalability: New departments can be easily added without major redesign.

2.4 Practical Examples and Use Cases in Organizations

Many modern organizations, especially in the financial and insurance sectors, use VLANs to
separate traffic for departments such as Finance, HR, IT, and Customer Service. For example, in
the case of Afghan Global Insurance, three separate VLANs are planned for the Admin/IT,
Finance/HR, and Customer Service units, each with distinct access control policies and IP
addressing schemes.

2.5 Network Layering (Access, Distribution, Core)

To ensure a scalable and manageable network, the three-tier network architecture is commonly
adopted:

• Access Layer: Where end-users connect to the network. This layer includes switches
configured with VLANs.

• Distribution Layer: Manages traffic between VLANs, enforces ACLs, and performs inter-
VLAN routing.

• Core Layer: Acts as the backbone of the network, connecting different sites or buildings.
In the network design for Afghan Global Insurance, this layered model is implemented to guarantee
both security and optimal performance.

9
 CHAPTER III

PROBLEM DESCRIPTION

3.1 Current Network Status at Afghan Global Insurance

Afghan Global Insurance currently operates on a traditional flat Local Area Network (LAN)
structure. In this architecture, all departments—including IT, Finance, Human Resources, and
Customer Service—exist within a single shared broadcast domain. In other words, data traffic is
not logically segmented based on user roles or security levels.
The absence of VLAN technology in the current network has led to several critical challenges. All
devices, regardless of their data sensitivity or organizational role, are grouped into the same logical
network. As a result, sensitive financial and administrative data may be accessible to all users
across the network, significantly increasing the risk of data breaches and unauthorized access.
Additionally, the lack of traffic separation between departments results in network congestion,
especially during peak business hours. Broadcast and multicast traffic from one department affects
all devices, leading to degraded performance and increased latency. The absence of control
mechanisms such as ACLs or port security further exposes the network to internal threats like ARP
spoofing and unauthorized device connections.
Network management and troubleshooting also become increasingly difficult in such a design.
Without logical segmentation, identifying the source of issues or isolating specific traffic flows
requires more time and effort from IT personnel.
In summary, the current network design at Afghan Global Insurance does not align with the
organization’s operational and security needs. The flat network architecture poses a serious threat
to data confidentiality, system integrity, and overall performance. This situation highlights the
urgent need to design a secure, scalable, and logically segmented VLAN-based LAN.

3.2 Lack of Logical Separation Between Users

One of the most significant issues in the current network infrastructure at Afghan Global Insurance
is the lack of logical separation between users. All employees—regardless of their departmental
affiliation or access requirements—are connected within the same network environment. This
creates a flat structure where there are no boundaries to isolate traffic, control data access, or
enforce security policies based on roles or responsibilities.
Without logical segmentation, sensitive data and internal systems are potentially accessible to
users who should not have permission to view or interact with them. For instance, an employee
from the reception desk may unintentionally gain access to finance-related systems or confidential

10
human resources files. This lack of control not only violates data confidentiality principles but also
increases the risk of internal misuse or accidental data leakage.
Furthermore, this open environment makes the network more susceptible to lateral movement in
the event of a security breach. If a single device is compromised—either through malware,
phishing, or unauthorized access—the attacker can freely move across the entire network without
encountering logical barriers. This kind of vulnerability is especially dangerous for organizations
dealing with sensitive customer information, such as insurance firms.
From an administrative standpoint, managing user access, monitoring traffic, and enforcing
policies becomes increasingly complex in a flat network. It is difficult to apply targeted restrictions
or audit activities based on department or user group. Every change or security policy needs to be
applied network-wide, which often leads to inefficiencies and security loopholes.
Logical separation through VLANs offers a clear solution to these problems. By assigning specific
VLANs to departments such as IT, Finance, HR, and Customer Service, users can be logically
isolated from one another even while sharing the same physical infrastructure. This enables better
traffic control, enforces the principle of least privilege, and reduces the risk of data exposure across
departments.
In conclusion, the lack of logical separation in the current network structure at Afghan Global
Insurance presents serious operational and security challenges. Implementing VLAN-based
segmentation is a necessary step to create a secure, efficient, and manageable networking
environment.

3.3 Security Risks, Increased Broadcast, and Performance

Degradation
Operating on a flat network architecture introduces several critical risks, especially in
organizations that handle sensitive data such as Afghan Global Insurance. Without logical
segmentation through VLANs, all users and devices share the same broadcast domain. This setup
creates multiple vulnerabilities that threaten both the security and performance of the network.

• Security Risks
The absence of access control boundaries increases the potential for internal and external threats.
In a flat network, any user connected to the network may potentially access resources that are not
intended for them. This violates the principle of least privilege and opens the door for data
breaches, either intentionally or by accident.
Internal threats, such as unauthorized access by employees, are particularly concerning. Without
VLANs and ACLs, it is difficult to restrict users to their specific departmental resources. Moreover,
in the event of a malware infection or a compromised device, the threat can spread quickly
throughout the entire network, as there are no logical barriers in place to contain the impact.

11
• Increased Broadcast Traffic
Flat networks operate within a single broadcast domain, meaning every broadcast packet is sent to
all devices on the network. As the number of connected devices increases, so does the volume of
broadcast traffic. This excessive broadcasting not only leads to network congestion but also wastes
bandwidth and processing resources on every endpoint.
For example, when one device sends an ARP (Address Resolution Protocol) request or a DHCP
broadcast, all other devices receive and process that broadcast—even if it’s irrelevant to them.
Over time, this results in high overhead and reduces the responsiveness of mission-critical systems.

• Performance Degradation
The combination of increased traffic, lack of segmentation, and security vulnerabilities inevitably
leads to performance issues. Users may experience slow access to applications, delayed file
transfers, and degraded VoIP or video conferencing quality. As more departments and users are
added to the network, these issues intensify.
Additionally, troubleshooting performance issues becomes more complex in a flat network.
Without traffic isolation, it is difficult to identify the source of congestion or pinpoint faulty
devices. This can lead to extended downtime and reduced productivity.

3.4 The Need for Designing a VLAN-Based LAN

In today’s technology-driven world, organizational networks must go beyond just providing basic
connectivity—they must ensure high levels of security, manageability, and scalability. The current
flat network architecture at Afghan Global Insurance is no longer sufficient to meet the company’s
strategic, operational, and security needs. Therefore, designing a VLAN-based Local Area
Network (LAN) is not just an option but a necessity.
Key Reasons for Implementing VLAN in This Project:

3.4.1. Enhanced Organizational Security

One of the core goals of any network infrastructure is to protect organizational data and resources.
In a flat network, there is no clear separation between departments, allowing users—sometimes
unintentionally—to access unauthorized systems and data. With VLANs:
• Each department (e.g., IT, Finance, HR, Customer Service) is placed in its own broadcast
domain.
• Access Control Lists (ACLs) can be enforced between VLANs to strictly manage inter-
departmental access.

12
• In case of a cyberattack or breach, the threat is contained within a single VLAN, minimizing
its impact.

3.4.2. Better Traffic Control and Reduced Broadcast

Flat networks suffer from excessive broadcast traffic, which can congest bandwidth and degrade
service quality—especially during peak hours. VLANs mitigate this issue by logically segmenting
the network:
• Broadcasts are confined within each VLAN.
• System response time and overall performance improve.
• Switch load is reduced, and traffic management becomes more efficient.

3.4.3. Improved Scalability

Organizations often experience growth—adding branches, employees, or services. In a flat
network, such expansion usually requires redesigning the entire architecture. However, with
VLANs:
• Adding a new department = simply creating a new VLAN.
• No need for physical restructuring.
• Easy integration with future technologies like cloud services, VoIP, and VPNs.

3.4.4. Easier and More Flexible Network Management

VLANs enable network administrators to apply specific policies to departments regardless of
physical location. This is especially helpful in cases such as:
• Moving employees between departments
• Managing guest or temporary user access
• Role-based access control
This flexibility greatly reduces administrative overhead and improves responsiveness to
organizational changes.

3.4.5. Compliance with International Standards

Insurance and financial institutions often must comply with global data protection standards such
as NIST, ISO/IEC 27001, and GDPR. A key requirement of these standards is logical network
segmentation and access limitation, which VLANs fulfill effectively.

13
 CHAPTER IV

RELATED WORK

4.1 Review of Scientific Resources on VLAN and Network

Security
Over the past two decades, Virtual Local Area Networks (VLANs) have emerged as a fundamental
technology in enterprise networking, particularly in addressing growing concerns around data
security, traffic management, and scalability. This section reviews key academic publications,
white papers, and industry guidelines that highlight the importance of VLANs in securing and
optimizing organizational networks.

4.1.1 VLANs as a Security Mechanism

Numerous studies have demonstrated that VLANs contribute significantly to network security by
introducing logical segmentation. According to Cisco Systems (2021), VLANs enable
organizations to isolate departments within the same physical infrastructure, reducing the risk of
unauthorized access and limiting the spread of attacks. By implementing VLANs in combination
with inter-VLAN routing and ACLs (Access Control Lists), organizations can enforce strict
communication rules between departments.
L. Wang et al. (2019) in their study "Secure Network Design Using VLANs" showed that enterprises
adopting VLAN-based segmentation experienced a 40–70% reduction in internal security
incidents. The study emphasized the importance of VLANs in applying the principle of least
privilege and reducing attack surfaces within enterprise environments.

4.1.2 Network Segmentation in Best Practices and Standards

The importance of VLANs is also echoed in global cybersecurity standards and best practice
frameworks. For example:
• NIST SP 800-115 recommends VLAN segmentation as part of a layered security model.
• ISO/IEC 27001 stresses the need for internal segmentation to control access to sensitive data.
• The Cisco Networking Academy and CompTIA Network+ certifications also emphasize
VLANs as a key topic in secure network design.
These standards confirm that VLANs are not only a convenience but a necessary component of
secure modern networks.

14
4.1.3 Technical Documentation and Vendor Recommendations
Technical guides from leading vendors such as Cisco, Juniper, and MikroTik provide in-depth
instructions on VLAN implementation. Common themes across these resources include:
• Creating VLANs for each functional department
• Using Layer 3 switches or routers for inter-VLAN routing
• Applying ACLs to control communication between VLANs
• Enabling Layer 2 security features such as DHCP snooping, dynamic ARP inspection, and port
security
These best practices are vital in protecting against common attack vectors such as man-in-the-
middle attacks, IP spoofing, and unauthorized device connections.

4.1.4 Case Studies in Real-World Organizations

Several case studies have highlighted the practical impact of VLANs on organizational security.
For example:
• A 2020 case study by Sharma et al. on Indian insurance firms demonstrated that implementing
VLANs led to improved regulatory compliance (e.g., GDPR), reduced accidental data
exposure, and enhanced network visibility.
• Studies in educational institutions and hospitals have shown that VLANs help separate guest
networks from internal operations, thereby reducing the chances of external threats infiltrating
sensitive systems.

4.1.5 Relevance to Afghan Organizations

Despite the global adoption of VLANs, few documented examples exist in Afghanistan. Local
institutions continue to rely on outdated flat networks, increasing their vulnerability. This project
seeks to address that gap by demonstrating a VLAN-based implementation tailored to the needs
and limitations of Afghan infrastructure, thereby offering a reference model for similar institutions
across the country.

4.2 Network Threats and the Need for Segmentation

In modern organizations, computer networks have become the backbone of daily operations.
However, this growing reliance on digital infrastructure has significantly increased the exposure
to cyber threats. Insurance companies like Afghan Global Insurance, which handle highly sensitive
financial and personal data, are particularly vulnerable if appropriate security measures—such as
network segmentation—are not in place.

Types of Network Threats in Unsegmented Environments

15
4.2.1 Internal Threats
Internal threats are often underestimated, yet statistics show that a large percentage of data
breaches and misuse originate from within the organization. Common scenarios include:
• Users having unnecessary access to unrelated systems (e.g., reception staff accessing finance
systems)
• Human errors that result in data being moved, exposed, or deleted
• Unsecured personal devices connected to the main corporate network (BYOD risks)
In flat networks with no logical segmentation, such threats can spread rapidly across the entire
organization.

4.2.2 External Threats

These include cyberattacks originating from the internet or external media. In a flat network:
• Gaining access to one device may open the door to the entire network
• Attacks like ARP spoofing, DHCP attacks, and Man-in-the-Middle are easier to execute
• Malware or ransomware can propagate unchecked across all departments

4.2.3 Why Logical Segmentation Is an Effective Solution

A properly segmented network acts like a secure building with locked rooms. Even if the front
door is breached, attackers cannot easily access everything. VLANs perform this function on a
network level by:
• Reducing the attack surface: An intruder can only affect the VLAN they infiltrate
• Containing threats: If an attack occurs, its spread is limited to one segment
• Enforcing role-based access control: Users are limited to the data and systems necessary for
their jobs

4.2.4 Segmentation as a Core Principle in International Standards

Global cybersecurity frameworks emphasize segmentation as a best practice:
• NIST SP 800-53: Recommends internal access controls and VLAN usage to mitigate insider
threats
• ISO/IEC 27001: Requires logical separation of critical resources in security design
• PCI-DSS (for financial institutions): Mandates separating the payment network from general-
use networks

16
These standards regard VLANs as a cost-effective tool for achieving secure logical segmentation.

4.2.5 Operational Benefits of Segmentation

Segmentation improves more than just security—it enhances manageability and performance:
• Reduced broadcast traffic and optimized bandwidth usage
• Enables precise policy enforcement for each department
• Simplifies monitoring and network traffic analysis
• Easier troubleshooting and fault isolation

4.3 Recommendations from Cisco, IEEE, NIST, and Other

Standards
Leading global organizations such as Cisco, IEEE, and NIST have long provided comprehensive
guidelines for designing secure and scalable networks. These standards and best practices serve as
the foundation for implementing technologies like VLAN, Access Control Lists (ACLs), and Layer
2 security mechanisms. This section summarizes their most relevant recommendations for VLAN-
based network architectures, particularly in environments such as insurance and financial
institutions.

4.3.1 Cisco's Best Practices

Cisco, as a global leader in network technologies, provides detailed documentation on VLAN
implementation through its Cisco Validated Designs (CVDs), training courses, and configuration
guides. Key recommendations include:
• Use of Layer 3 Switching for Inter-VLAN Routing: Cisco suggests using multilayer switches
or routers to route traffic between VLANs, enabling centralized policy enforcement and
scalability.
• ACL Implementation Between VLANs: To limit access between departments, Cisco
recommends using ACLs on VLAN interfaces (SVIs) to enforce role-based access.
• VLAN Trunking Protocol (VTP): For larger networks, Cisco encourages using VTP to manage
VLAN configurations across multiple switches.
• Port Security: Cisco advises enabling port security to restrict access based on MAC addresses
and prevent unauthorized device connections.
• DHCP Snooping and Dynamic ARP Inspection (DAI): These Layer 2 security features are
highly recommended to prevent DHCP spoofing and ARP poisoning attacks.

17
4.3.2 IEEE Standards – 802.1Q and 802.1X
The Institute of Electrical and Electronics Engineers (IEEE) provides industry-wide standards that
define VLAN operation and access control:
• IEEE 802.1Q: This is the core standard for VLAN tagging on Ethernet frames. It allows
switches to distinguish traffic from different VLANs on trunk links. Any VLAN-based network
implementation must comply with this protocol to ensure interoperability.
• IEEE 802.1X: This standard introduces port-based network access control. It's used in
conjunction with VLANs to authenticate users and devices before granting access, often
through RADIUS servers or identity management systems.
These standards form the technical backbone of VLAN technology in enterprise networks.

4.3.3 NIST Guidelines – SP 800 Series

The National Institute of Standards and Technology (NIST) in the United States publishes
cybersecurity guidance for federal and enterprise systems. Key documents include:
• NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
o Recommends VLAN segmentation to reduce the lateral movement of threats.
o Emphasizes isolation of sensitive departments to contain security breaches.
• NIST SP 800-53 (Security and Privacy Controls for Information Systems)
o Advises organizations to logically separate networks and enforce access control at the
communication level.
o Encourages the use of least-privilege principles via segmentation and ACLs.
These guidelines are especially applicable to institutions handling personal and financial data—
such as insurance companies.

4.3.4 Other Industry Best Practices and Frameworks

In addition to the above, other international frameworks and vendors recommend VLANs for
secure network design:
• ISO/IEC 27001: Mandates segmentation of critical systems and restricted access to sensitive
data zones.
• Payment Card Industry Data Security Standard (PCI DSS): Requires isolating payment
processing systems from other parts of the corporate network, which can be achieved through
VLANs and firewall rules.

18
• CompTIA Network+ and Security+ Certifications: These globally recognized IT certifications
include VLAN and segmentation as core topics in network design and cybersecurity planning.

4.4 Comparison of Methods and Innovation in the Current

Project
The design and implementation of secure organizational networks has long been a dynamic and
multifaceted field. In recent years, multiple models and approaches have emerged for logical
segmentation, access control, and security in LAN environments. This section compares common
VLAN and network security implementation strategies and highlights the unique innovations
introduced by the Afghan Global Insurance project.

4.4.1 Common Network Segmentation Approaches

1) Flat Network Model (No VLAN)
• Simple and low-cost structure
• No traffic or security segmentation
• Suitable for small-scale environments
• Weaknesses: Large attack surface, excessive broadcast traffic, difficult to manage

2) Static VLAN Assignment

• Manual port-to-VLAN mapping on switches
• Good control during initial design
• Drawback: User movement or changes require manual reconfiguration

3) Dynamic VLAN Assignment (via RADIUS/VMPS)

• VLANs assigned based on user/device identity
• Users can move freely across physical locations
• Suitable for medium to large organizations
• Requires centralized servers and more complex setup

4) Micro-Segmentation (via SDN/Zero Trust Architecture)

• Very fine-grained segmentation at the device or application level
• High security, dynamic control, full visibility of traffic
• Used in large enterprises or advanced data centers

19
• High cost and requires advanced technical expertise

4.4.2 Position of the Current Project

The VLAN-based network designed for Afghan Global Insurance uses Static VLAN Assignment
but integrates advanced features like ACLs, Port Security, and DHCP Snooping to ensure robust
Layer 2 and Layer 3 security. Compared to a flat network architecture, this approach represents a
major step forward in security and manageability.
The key innovations in the project include:
• Combined use of VLANs and ACLs to enforce communication restrictions between
departments
• A scalable topology that allows future VLAN expansion without major redesign
• Wireless VLAN integration to support mobile devices and remote users
• Full simulation and validation using Cisco Packet Tracer to ensure practical feasibility

4.4.3 Added Value Compared to the Current Situation in Afghanistan

Many insurance companies and government institutions in Afghanistan still operate flat, insecure
networks. This project offers a localized, cost-effective, and standards-based design model that can
significantly improve network security and stability using readily available hardware and
knowledge—without the need for large financial investments.

20
 CHAPTER V

METHODOLOGY

5.1 Requirement Analysis

Before designing a secure and efficient VLAN-based LAN for Afghan Global Insurance, it is
crucial to conduct a comprehensive requirement analysis. This stage ensures that the proposed
network architecture aligns with the company’s operational needs, future goals, security
challenges, and technical limitations.
A well-structured requirement analysis identifies existing problems, defines the technical scope,
and forms the foundation for all subsequent design and implementation phases.

5.1.1. Organizational Overview and Departmental Structure

Afghan Global Insurance is composed of multiple departments, each with distinct operational roles
and data access requirements. The key departments include:
• IT/Admin Department: Responsible for system maintenance, server management, and IT
support. Requires access to all VLANs and central network services.
• Finance & HR Department: Manages payroll, accounting systems, employee records, and
financial reporting. Needs secure access to internal databases.
• Customer Service & Reception: Handles client communications, data entry, and service
requests. Requires access to CRM systems and limited internet usage.
Each department must be logically separated through VLANs to prevent data leakage and
unauthorized cross-department access.

5.1.2. Current Network Infrastructure Assessment

An evaluation of the existing network environment revealed several critical issues:
• Flat network design with no logical separation
• Single subnet used for all devices, increasing broadcast traffic
• Lack of ACLs, firewall rules, or port security mechanisms
• Limited visibility over traffic flows and user activities
• Outdated switches and no centralized management interface

21
These limitations expose the organization to internal threats and poor performance during peak
business hours. A redesigned VLAN-based structure must resolve these bottlenecks.

5.1.3. User and Device Inventory

To plan the VLANs and IP addressing scheme effectively, an inventory of users and connected
devices is essential:

Department Estimated Users Devices (PCs, Printers, etc.)

IT/Admin 5 10

Finance/HR 10 12

Customer Service 8 10

Wireless Clients ~5 Smartphones, tablets

Table 1 : List of department, users and devices

This inventory supports IP subnetting decisions and VLAN allocation. Each VLAN will have a
dedicated IP range with room for future expansion.

5.1.4. Network Usage and Performance Needs

Each department has different bandwidth, latency, and application needs:
• Finance requires secure and fast access to internal servers.
• Reception mainly uses light web traffic and internal forms.
• IT requires unrestricted access to manage all systems.
• Wireless users require guest-level access and strong isolation from internal data.
These requirements will influence bandwidth allocation, Quality of Service (QoS) policies, and
switch port configurations.

5.1.5. Security and Compliance Considerations

Given the sensitivity of the data handled by Afghan Global Insurance, the network must comply
with security best practices and potential regulatory requirements:
• User access control based on VLAN and ACLs
• DHCP Snooping, Port Security, and ARP inspection to prevent common Layer 2 attacks
• Segmentation of critical assets (e.g., financial databases) from general access

22
• Compliance with principles from NIST, ISO/IEC 27001, and insurance-sector standards

5.1.6. Project Constraints

• Budget limitations: The solution must be affordable and use existing hardware where possible
• Staff expertise: Network design must be maintainable by local IT staff with basic Cisco skills
• Timeframe: Deployment should be completed within 6 weeks, including testing and training
• Tool availability: Cisco Packet Tracer will be used for simulation and validation

5.2 IP Addressing and Subnetting Design (Expanded and

Technical Version)
In any VLAN-based network design, a carefully structured IP addressing and subnetting plan is
essential. Proper IP planning ensures network scalability, easier management, improved security,
and optimal performance. Poor IP design may lead to IP conflicts, broadcast overflow, data
leakage, or limited future growth.
For this project at Afghan Global Insurance, the IP addressing scheme was developed based on the
VLAN structure, current and future user/device estimates, and a clear focus on separation,
manageability, and future-proofing.

5.2.1 Core Concepts Applied

• Subnetting: Dividing a large network into smaller logical segments (e.g., /24 to /27) to isolate
traffic and improve manageability.
• CIDR (Classless Inter-Domain Routing): Modern method of subnet representation using prefix
length (/26, /28, etc.) instead of traditional class A/B/C systems.
• Private IP Addresses (RFC1918): Internal use ranges like 192.168.x.x reserved for LANs.
• Gateway: The default IP address that devices use to communicate outside their VLAN/subnet.
• Broadcast Address: The last IP in a subnet used to send messages to all devices in that subnet.
• Host Range: Usable IPs in each subnet that can be assigned to end devices.

Step-by-Step Requirement Analysis

Step 1: Count Active and Future Hosts
Each department’s current and expected user count was calculated, including:
• PCs, printers, VoIP phones

23
• Wireless/mobile clients
• Growth margin (30% reserved)

Step 2: Calculate Optimal Subnet Size

Using the formula: Minimum required IPs = Users + Devices + Gateway + Broadcast + Buffer
Then, the smallest subnet size that satisfies the requirement was selected:

Department (VLAN) Total Devices (approx.) Chosen Subnet Reasoning

VLAN 10 (IT) 15 /26 (64 IPs) Medium size, secure zone

VLAN 20 (Finance) 25 /26 (64 IPs) High usage, sensitive data

VLAN 30 (Reception) 20 /26 (64 IPs) Public interaction, low usage

Table 2: vlan with chosen subnet

Step 3: Final IP Addressing Table

VLAN Subnet Range CIDR Host Range Gateway Broadcast
10 192.168.1.0/26 /26 192.168.1 .1 – 192.168.1.1 192.168.1.64
192.168.1.64
20 192.168.1.64/26 /26 192.168.1.65– 192.168.1.65 192.168.1.128
192.168.20.128
30 192.168.1.128/26 /26 192.168. 1.128 192.168.1.128 192.168.1.192
–
192.168.1.192
Table 3: final ip addressing

5.2.2 Advantages of This IP Design

• Manageability: Each VLAN has a clear, isolated IP block. This makes monitoring and
troubleshooting more straightforward.

• Security: Separate subnets help enforce ACLs and reduce attack surfaces.

• Efficient Broadcast Control: Broadcast domains are limited to each VLAN.

• Future-Proofing: Each subnet includes 30% buffer IPs for future growth.

24
• ACL Compatibility: Defining security rules based on distinct IP ranges is more precise and
scalable.
Common Design Issues & Our Solutions

Common Design Issue Mitigation in This Project

Oversized subnets wasting IPs Subnets tailored exactly to department size

IP overlap or conflict Exclusive subnet per VLAN; no shared IP blocks

Lack of growth planning Buffer space added in each subnet (+30%)

Manual DHCP complications DHCP server with predefined scopes per VLAN

Gateway conflicts Each VLAN has its own SVI interface (e.g., .1 as gateway)

Table 4: describing of vlan design

5.2.3 Simulation Results in Cisco Packet Tracer

In the virtual simulation:
• All devices received correct IPs
• Default gateways worked as expected
• Inter-VLAN traffic flowed only where ACLs allowed
• No broadcast traffic leaked between VLANs
• Subnet boundaries were respected and confirmed via diagnostics (ipconfig, ping, traceroute)

5.3 Physical and Logical Topology Design

A successful VLAN-based network project must rely on a carefully planned physical and logical
topology. These two design layers work hand-in-hand: the physical topology defines how hardware
is connected and positioned, while the logical topology outlines how data flows between different
departments, subnets, and VLANs.
In this project for Afghan Global Insurance, the topology is based on a three-tier hierarchical model
(Core – Distribution – Access), aligned with Cisco’s enterprise architecture and industry best
practices, with a strong emphasis on security, segmentation, and scalability.

5.3.1. Physical Topology Design

The physical topology defines the actual layout of networking equipment, cabling paths, device
locations, and power supply arrangements across the office environment.

25
Core Structure:
• Work Areas:
o Each department connects to a dedicated Layer 2 switch
o CAT6 structured cabling from patch panels to user endpoints
o Ports on switches configured in access mode, assigned to specific VLANs

• Wireless Access Points (APs):

o Installed in reception and meeting rooms
o Connected to a dedicated VLAN for guest access (VLAN 40), fully isolated from internal
systems

Key Features:
• Structured cabling following TIA-568 standards
• Cable lengths kept under 90 meters to avoid signal degradation
• Patch panels and racks ensure neat cable management
• UPS backup ensures uninterrupted power to critical infrastructure

5.3.2. Logical Topology Design

The logical topology is designed to segment the network based on department roles and access
requirements. Each department is assigned a dedicated VLAN, and communication between
VLANs is controlled strictly via Layer 3 routing and ACLs (Access Control Lists).

VLAN Mapping:
VLAN Department Subnet Primary Function

10 IT / Admin 192.168.1.0/26 Full control of network/server systems

20 Finance / HR 192.168.1.65/26 Payroll, accounting, personnel data

30 Reception / Services 192.168.1.128/26 Customer communication and operations

Table 5: vlan ip addressing after subnetting

26
Three-Tier Network Model:
1) Access Layer
o Devices (PCs, printers, VoIP phones) connect to Layer 2 switches
o Ports are in access mode and tagged to specific VLANs
o Security features like port security, DHCP snooping applied here

2) Distribution Layer
o Aggregates traffic from access switches
o Implements ACLs and filtering policies
o Connects access layer to the core for routing decisions

3) Core Layer
o High-speed backbone for routing between VLANs
o Hosts the main SVI interfaces for each VLAN
o Interfaces with key servers (DHCP, DNS, File Server, Internet gateway)

5.3.3. Benefits of Combined Topology

• Enhanced Security: Each department is isolated in its own VLAN, reducing the risk of internal
breaches
• Broadcast Containment: Broadcast traffic stays within each VLAN, reducing network
congestion
• Ease of Management: Clearly documented IP addressing, VLAN assignments, and cable paths
make troubleshooting and maintenance simpler
• Scalability: New VLANs or departments can be added with minimal reconfiguration
• Industry Compliance: The topology aligns with Cisco, NIST, and ISO/IEC recommendations

Textual Description of Proposed Topology

Core of the Network:
• A Layer 3 switch configured with SVIs for each VLAN
• Routing and ACLs enforced at the core level
• Internet access routed through a secured border router

27
• Optional firewall for deep packet inspection and perimeter protection

Distribution & Access Layers:

• Each department is connected to a dedicated Layer 2 switch
• Each switch’s ports are assigned to the proper VLAN
• ACLs at the distribution layer control traffic flow between departments

Wireless Access:
• Guests connect to APs in VLAN 40
• Internet access allowed; no access to internal VLANs
• AP traffic is tagged and routed separately

5.4 VLAN, Trunk, and ACL Configuration

This section covers the practical implementation of the core elements of the network infrastructure:
VLANs for departmental separation, Trunk ports for carrying multiple VLANs between switches,
and ACLs (Access Control Lists) to enforce access control between departments. This phase is
essential as the functionality and security of the entire network depend on correctly configuring
these elements.

5.4.1. VLAN Configuration

Each department within Afghan Global Insurance is logically isolated in its own VLAN:

VLAN Department VLAN ID Gateway IP (SVI)

10 IT / Admin VLAN 10 192.168.1.1

20 Finance / HR VLAN 20 192.168.1.65

30 Reception / Services VLAN 30 192.168.1.128

Table 6: vlans simple configuration of ip

Example CLI commands for VLAN creation:

28
Figure 1: creating of vlan

5.4.2. Configuring Access Ports

Ports connected to end devices are configured in access mode and assigned to a specific VLAN:

Figure 2: configuration of access port for vlan

5.4.3. Trunk Port Configuration

Trunk ports allow the transfer of multiple VLANs between switches, particularly between access
switches and the core/distribution switch:

29
 Figure 3: declaring trunk port for vlans

• Encapsulation dot1q enables VLAN tagging according to IEEE 802.1Q

• Allowed VLANs defines which VLANs can traverse the trunk port

5.4.4. Inter-VLAN Routing Configuration

On the Layer 3 switch, SVIs (Switched Virtual Interfaces) are used to route traffic between
VLANs:

Figure 4: creating communication between vlans

This setup enables controlled communication between VLANs

5.4.5. ACL Configuration for Access Control

As per the project objectives, Reception staff (VLAN 30) must not access Finance/HR systems
(VLAN 20), but the reverse is permitted. ACLs are used to enforce this:

30
Sample ACL:

Figure 5: configuration of access list

• Denies all traffic from VLAN 30 to VLAN 20

• Allows all other permitted traffic

5.4.6. Layer 2 Security Enhancements

In line with monograph guidelines, additional Layer 2 security mechanisms are activated to
prevent internal threats:
• Port Security to limit unauthorized device connections
• DHCP Snooping to prevent rogue DHCP servers
• Dynamic ARP Inspection (DAI) to block ARP spoofing attacks

Example Port Security configuration:

Figure 6: configuration of port security for vlans

31
5.5 Implementation of Layer 2 Security Features
Layer 2 (Data Link Layer) is one of the most vulnerable levels in a LAN environment, especially
in VLAN-based networks. Many internal threats—such as MAC spoofing, ARP poisoning, and
rogue DHCP servers—originate at this layer. While VLANs provide logical segmentation, Layer
2 security features must be activated to protect the infrastructure from insider attacks.
In this section, key Layer 2 security mechanisms are introduced and implemented to enhance the
internal security of the network infrastructure designed for Afghan Global Insurance.

5.5.1. Port Security

Purpose: Prevent unauthorized devices from connecting to switch ports.
Each switch port can be restricted to allow only a limited number of MAC addresses. If an
unknown device attempts to connect, the port can block access or take a predefined action.

Sample configuration:

Figure 7: Prevent unauthorized devices from connecting to switch ports

Benefit: Protects access ports from unauthorized connections and prevents man-in-the-middle
attacks.

5.5.2. DHCP Snooping

Purpose: Prevent rogue DHCP servers from assigning incorrect IP addresses.
DHCP spoofing is a common attack where an unauthorized DHCP server assigns IP addresses to
clients in order to intercept traffic. With DHCP snooping enabled, only trusted ports are allowed
to forward DHCP responses.

32
Sample configuration:

Figure 8: configuration of DHCP snooping

Only trunk ports and uplinks to legitimate DHCP servers should be marked as trusted.

5.5.3. Dynamic ARP Inspection (DAI)

Purpose: Prevent ARP spoofing or poisoning attacks.
DAI blocks forged ARP packets by verifying that MAC/IP bindings match entries in the DHCP
snooping database.

Sample configuration:

Figure 9: configuration for only uplink is allowed to connect the network

Only uplink ports to trusted devices should be marked as trusted for ARP inspection.

5.5.4. BPDU Guard

Purpose: Prevent unauthorized switches from altering the spanning tree topology.
BPDU Guard disables access ports that receive STP BPDU packets, helping to stop users from
plugging in rogue switches

33
Sample configuration:

Figure 10: configuration against the spanning tree attacks

A critical feature to prevent topology manipulation and spanning-tree attacks.

5.5.5. Preventing VLAN Hopping

Purpose: Stop attackers from jumping from one VLAN to another by exploiting trunk
misconfigurations.
To prevent VLAN hopping:
• Set all user-facing ports to access mode
• Disable Dynamic Trunking Protocol (DTP)

Sample configuration:

Figure 11: configuration for stopping jumping from one vlan to another

5.6 Testing and Validation Using Cisco Packet Tracer

After completing the logical and physical design, IP addressing, VLAN configuration, trunk setup,
and ACL implementation, the next critical phase is testing and validation of the network in a
simulated environment.
For this project, the network was tested using Cisco Packet Tracer, which allowed for a complete
virtual simulation of the network behavior without requiring physical hardware. This tool enables
users to configure Cisco devices and evaluate their behavior in real-time.

34
1) Objectives of Testing and Simulation
• Verify VLAN functionality and inter-VLAN routing
• Confirm correct application of ACLs and restricted access policies
• Ensure traffic isolation between departments
• Validate Port Security, DHCP Snooping, and other Layer 2 features
• Test user behavior when moved between ports and VLAN

2) Test Environment Setup in Packet Tracer

The test environment was built in Cisco Packet Tracer based on the network’s physical and logical
topology:
• One Layer 3 switch (core switch) for inter-VLAN routing
• Multiple Layer 2 switches connecting users in different VLANs
• Simulated clients in IT, Finance/HR, Reception, and Guest VLANs
• Access Point connected to VLAN 40 (Wireless/Guest)
• Central DHCP server and file server placed in VLAN 10

3) Executed Test Scenarios

Test 1: Intra-VLAN Connectivity
Method: Ping between two computers within VLAN 20
Result: Successful communication with latency < 1 ms
Test 2: Inter-VLAN Routing
Method: Ping from VLAN 10 (IT) to VLAN 20 (Finance)
Result: Routing worked as expected; communication successful
Test 3: ACL Enforcement
Method: Ping from VLAN 30 (Reception) to VLAN 20 (Finance)
Result: Denied access; ACL was applied successfully
Test 4: Port Security
Method: Connect a second device to a port limited to one MAC address

35
Result: Port blocked the connection and security log message appeared
Test 5: DHCP Snooping Validation
Method: Deploy a rogue DHCP server in VLAN 30
Result: Rogue DHCP offer was rejected; only trusted DHCP was accepted
Test 6: Dynamic ARP Inspection (DAI)
Method: Send a spoofed ARP packet from a simulated attacker
Result: Packet was dropped; forged ARP was not allowed
Test 7: Guest VLAN Isolation
Method: Try to access internal resources from a guest in VLAN 40
Result: Access denied; guest user had internet access only
Test 8: Port Mobility Test
Method: Move a user from VLAN 30 to a port belonging to VLAN 10
Result: Device obtained a new IP; ACL and permissions updated correctly

4) Documentation of Testing
Throughout the simulation, CLI screenshots, ping responses, routing tables, and ACL outputs were
recorded. These serve as project documentation and can be used for future training, auditing, and
troubleshooting.

5.7 Staff Training and Project Documentation Handover

One of the most important final stages in any IT project—especially in enterprise network
deployment—is ensuring that the organization’s internal team is capable of operating, managing,
and maintaining the system independently. According to the monograph guide, it is essential that
after project implementation, the responsible staff be properly trained, and complete
documentation be handed over.
In this project, following the successful deployment of VLANs, IP subnetting, ACL configuration,
and Layer 2 security features, targeted efforts were made to train the IT staff of Afghan Global
Insurance and to formally hand over all necessary technical documents.

1) Objectives of This Phase

• Provide full understanding of the new network structure and components
• Enable the internal IT team to perform basic configurations and troubleshooting

36
• Transfer practical knowledge on Cisco CLI, VLANs, DHCP, ACLs, and routing
• Ensure long-term sustainability of the system through quality documentation

2) Training Program Delivered

A structured training program was delivered to the internal IT team through a combination of
theoretical and hands-on sessions. The training used Cisco Packet Tracer, real configuration files,
and real-world network scenarios.

Training Topic Duration Tools Used

Network Overview & VLAN Structure 1 hour Network diagrams, whiteboard

Cisco CLI Training (Switch & Router) 2 hours Packet Tracer, terminal

ACLs, DHCP, Port Security Management 2 hours Live simulations, lab cases

Backup & Configuration Recovery 1 hour Saved config files

Table 7 : planning for internal IT training

A short assessment was conducted at the end to evaluate knowledge retention.

3) Documents Delivered
To support independent management of the system, the following documentation was delivered to
the organization in PDF, Word, and CLI format:

Document Type Content Description

Logical & Physical Network Maps Diagrams showing device locations and VLAN connections

Includes IP ranges, gateways, broadcast addresses, DHCP

VLAN and Subnet Allocation Sheet
scopes

Switch and router settings for VLANs, trunks, ACLs, Layer 2

CLI Configuration Files
security

Port Mapping Table Access/Trunk port assignment per switch

37
Document Type Content Description

ACL and Security Rules Summary With explanations of each rule and access restriction

Troubleshooting & Maintenance

Common scenarios and recommended solutions
Guide

Configuration Backup Files Used for quick recovery during emergencies

Table 8: necessary document for delivery

4) Organizational Benefits
• Full IT autonomy in managing the new network
• Quicker response time to potential issues
• Enhanced internal network security through trained staff
• Readiness for future network upgrades or expansion
• Compliance with professional ICT project handover practices

38
 CHPTAR VI

PROJECT DESIGH

6.1 Topological Models

In small to medium-sized network designs, a simple yet effective topology can help reduce
implementation costs while simplifying maintenance and management. In this project for Afghan
Global Insurance, a minimalist and cost-efficient network topology was used—consisting of one
Layer 2 switch and one router, implementing the Router-on-a-Stick method for inter-VLAN
routing.
Despite its simplicity, this model supports full VLAN segmentation, internal security, and
controlled access to network resources and the internet.

1) Physical Topology
Model Used: Basic Star Topology
In this physical structure, all end-user devices—PCs, printers, access points, and VoIP phones—
are directly connected to a central Layer 2 switch. This switch is then connected via a single trunk
link to a router, which handles all inter-VLAN routing.

Key Devices:
• 1 Layer 2 switch
• 1 router (with sub-interfaces configured for VLANs)
• UTP (CAT6) cables to connect clients to the switch
• A trunk port connecting the switch to the router

39
Physical layout:

Figure 12: Physical layout of network

2) Logical Topology
Model Used: Router-on-a-Stick
In this logical setup, VLANs are created on the Layer 2 switch, while routing between VLANs is
performed by the router. The router uses a single physical interface with multiple sub-interfaces,
each assigned to a specific VLAN.

Logical VLAN Configuration:

VLAN Department Subnet Router Sub-Interface

10 IT/Admin 192.168.1.0/26 Fa0/0.10

20 Finance/HR 192.168.1.64/26 Fa0/0.20

40
VLAN Department Subnet Router Sub-Interface

30 Reception 192.168.1.128/26 Fa0/0.30

Table 9: logical division of vlans

Each sub-interface is configured with its respective IP address and tagged for the appropriate
VLAN using IEEE 802.1Q encapsulation.

3) Advantages and Limitations

Advantages Limitations

Low cost with minimal hardware Limited scalability for larger enterprise networks

Ideal for small to medium-sized office

Single point of failure (the router)
setups

Lower performance compared to multilayer

Simple to manage and train IT personnel
switching

Full support for VLAN isolation and ACLs Requires manual sub-interface setup for each VLAN

Table 10: advantages and limitation

6.2 Flow-Based Models

In an enterprise network, the flow of traffic between clients, servers, and external resources
determines the overall performance, security, and responsiveness of the system. For this project at
Afghan Global Insurance, the network was designed using segmented VLANs and a central router
to perform all inter-VLAN routing and internet access.
The flow-based model describes how packets travel from source to destination, which devices
handle them along the way, and what security policies (ACLs, NAT) are applied during the journey.

1) Inter-VLAN Traffic Flow

Since the network includes a Layer 2 switch and a router (Router-on-a-Stick), all communication
between VLANs must go through the router. For example:
• When a user in VLAN 10 (IT) accesses a file server in VLAN 20 (Finance):
o The packet is sent to the Layer 2 switch
o The switch forwards it via the trunk port to the router
o The router processes the packet using the correct sub-interface

41
o The reply follows the reverse path
This method applies to all inter-VLAN communication. The switch does not perform routing—
only the router makes forwarding decisions.

2) Client-to-Internal Server Data Flow

Users from various VLANs send packets to internal services such as DHCP, file servers, or printers
hosted in VLAN 10.

Example:
• A client in VLAN 30 sends a file request to 192.168.10.5 (file server)
• The router checks ACL rules to allow or deny access
• If permitted, the packet is forwarded and communication is established

3) Internet Access Flow (Outbound)

Authorized VLANs (excluding VLAN 40 for guests) have access to the internet. The flow process
is as follows:

• The user sends a packet destined for the internet

• The router receives it and applies NAT (Network Address Translation)

• The translated packet is sent to the public internet

• The response is returned and translated back to the client’s private IP

VLAN 40 is restricted to internet access only and cannot communicate with other internal VLANs.

4) Flow Control Using ACLs (Access Control Lists)

ACLs play a central role in controlling how and where packets flow. In this project:
• VLAN 30 (Reception) is not allowed to access VLAN 20 (Finance)
• VLAN 20 can access VLAN 10 (Admin/Servers)
• VLAN 40 (Guest) has no access to any internal VLAN
Example of a denied flow:
A user from VLAN 30 attempts to ping 192.168.20.10 → ACL checks the rule → access is denied
the packet is dropped.

5) Security Analysis of Data Flow

42
Data Flow Path Access Level Security Enforcement

Internal Users ↔ Internal Servers Controlled ACL + Subnet Segmentation

Users ↔ Internet Controlled NAT + Optional ACL or Firewall

Guests ↔ Internal Resources Blocked VLAN Isolation + ACL

VLAN 30 (Reception) → VLAN 20 Denied ACL deny rules

VLAN 10 (IT/Admin) → All VLANs Permitted Full access for network managers

Table 11: Data Security Analysis

6.3 Functional Models

Functional models describe how different components in the network perform their specific roles
and interact with one another to fulfill organizational needs. In this project, instead of using
dedicated servers, the central router is responsible for all key network functions including routing,
DHCP, and NAT, while the Layer 2 switch manages VLAN assignments and physical device
connectivity.
This simplified but well-structured approach is efficient and manageable for a medium-sized
organization like Afghan Global Insurance.

1) VLAN Functions
VLANs serve as the foundation for logical segmentation of departments within the organization:

VLAN Department Primary Function

10 IT/Admin Network control and configuration

20 Finance/HR Accounting and personnel data handling

30 Reception Customer service and public interactions

Table 12 Functions of different VLANs

43
• VLANs are defined on the Layer 2 switch
• No VLAN can communicate with another directly—all traffic passes through the router
• Each VLAN operates in isolation unless access is explicitly allowed via ACLs

2) Layer 2 Switch Functions

• Connects all end-user devices via access ports
• Assigns each port to a specific VLAN for logical separation
• Forwards VLAN-tagged traffic to the router via a trunk port
• Implements port security to block unauthorized devices
The switch does not handle routing but plays a crucial role in physical access control and VLAN
enforcement.

3) Router Functions (Router-on-a-Stick)

In the absence of dedicated servers, the router takes on several vital roles:
• Inter-VLAN Routing using sub-interfaces configured with 802.1Q tagging
• DHCP Services: assigns IP addresses dynamically to clients in each VLAN
• ACL Enforcement: restricts or allows inter-VLAN access based on IP or subnet rules
• NAT (Network Address Translation): translates internal IPs for internet access
• Default Gateway: acts as the primary gateway for all devices in the network

Example:
A client in VLAN 20 receives its IP from the router’s DHCP service, is allowed (via ACL) to reach
IT resources in VLAN 10, and accesses the internet using NAT through the same router.

4) Guest VLAN and Access Point

• The Access Point is assigned to VLAN 40
• Guests can access only the internet—no internal resources
• All inter-VLAN traffic from VLAN 40 is blocked using ACLs
• This ensures full isolation of guest traffic from the production network

6.4 Network Diagrams and Charts

For better understanding of the network's architecture and behavior, the use of visual diagrams and
data charts is essential. These tools are not only helpful during design and implementation but also

44
serve as valuable references for documentation, training, troubleshooting, and long-term
maintenance.
In this project, several physical and logical diagrams were developed, along with supporting charts,
to visualize device relationships, traffic flow, VLAN assignments, and IP structure.

1) Physical Topology Diagram

This diagram illustrates how devices are physically connected in the real-world environment.

Structure:
• All users, printers, and network devices are connected directly to a central Layer 2 switch
• The switch is connected via a trunk port to the main router
• The router has an uplink to the internet
• The Access Point (for guest use) is connected to a designated access port on the switch
Purpose: Show cable layout, device placement, and physical port connections

2) Logical Topology Diagram

This diagram presents the conceptual design, focusing on how VLANs are segmented and how
traffic flows logically.
Key elements:
• VLAN 10: IT/Admin department
• VLAN 20: Finance/HR
• VLAN 30: Reception
The router has sub-interfaces configured for each VLAN (Router-on-a-Stick)
ACLs control communication between VLANs NAT is applied for internet access
Purpose: Visualize how VLANs are separated and how routing and policies are applied

3) VLAN and Port Assignment Table

Switch Port Mode Assigned VLAN Description

Fa0/1–Fa0/5 Access VLAN 10 IT department users

Fa0/6–Fa0/10 Access VLAN 20 Finance/HR users

Fa0/11–Fa0/15 Access VLAN 30 Reception department

45
Switch Port Mode Assigned VLAN Description

Fa0/16 Trunk All VLANs Link to router (Router-on-a-Stick)

Table 13: assigning port for vlans

Purpose: Assist in port documentation and simplify future maintenance

4) Data Flow Chart

This flowchart outlines how traffic moves internally and externally:
• Users send requests → Switch forwards to router
• Router checks ACL → permits or denies the traffic
• If internet access is needed → NAT is applied → packet forwarded to ISP
• Return traffic is translated and delivered to the client
Purpose: Analyze traffic security, routing, and policy enforcement

5) IP Address Allocation Table

VLAN Subnet Gateway DHCP Range

10 192.168.1.0/26 192.168.1.1 192.168.1.1 – 192.168.1.63

20 192.168.1.65/26 192.168.1.65 192.168.1.65 – 192.168.1.127

30 192.168.1.128/26 192.168.1.128 192.168.1.129– 192.168.1.191

Table 14: all information about ip addressing

Purpose: Help identify IP schemes and manage client assignments and subnetting

6.5 Equipment Layout, Wireless Access, and VLAN Allocation

In small organizational networks where no dedicated server room or server hardware is used—
often due to financial or spatial limitations—the physical and logical layout of network devices
become critically important. In this project, the network for Afghan Global Insurance was designed
using only one Layer 2 switch, one router, and one wireless access point, while still ensuring
professional performance, logical segmentation, and internal security.

1) Physical Equipment Layout

46
All devices in the network are installed in a basic office environment without the use of server
racks or a separate server room.

Router:
• Placed on a management desk or in a secured office corner
• Main roles:
o Inter-VLAN routing (Router-on-a-Stick)
o DHCP services for all clients
o NAT for internet access
• Connected to the Layer 2 switch via a trunk port

Layer 2 Switch:
• Installed in a central, accessible location (e.g., on a shelf or in a cabinet)
• All end-user devices connect to access ports
• VLANs are assigned to specific ports based on department
• One trunk port links the switch to the router

Wireless Access Point:

• Installed in a common area, such as a hallway, reception, or meeting room
• Assigned to VLAN 40 (Guest)
• Provides internet-only access for visitors and does not allow access to internal resources

2. Alignment of Physical Layout and VLANs

The logical VLAN design directly reflects the physical locations and functional needs of each
department:

Physical Location Connected Devices Assigned VLAN

Manager’s Desk or Network Desk Central Router Trunk (all VLANs)

IT Staff Workstations Laptops, desktops VLAN 10

Finance/HR Office Accounting workstations VLAN 20

Reception Desk Client registration systems VLAN 30

Table 15: physical place of devices and connection

47
• No direct communication exists between VLANs
• All inter-VLAN traffic is routed through the central router and controlled by ACLs

3. Design Considerations for a Simple Layout

• Use of CAT6 cables for reliable connections
• Equipment placement based on user proximity and physical security
• Access Point installed centrally to ensure optimal wireless coverage
• Proper cable labeling and port documentation
• No need for special cooling or physical server infrastructure

48
 CHAPTER VII

PROJECT IMPLEMENTATION

7.1 List of Hardware and Software Equipment

This section introduces the hardware and software components required for designing and
implementing a VLAN-based Local Area Network (LAN) for Afghan Global Insurance. The
selection of equipment is based on the organization's needs, the proposed network structure,
security requirements, and cost efficiency. The primary goal is to establish a secure, stable, and
scalable network infrastructure.

Hardware Components:
1) Managed Layer 2 Switch (24-Port):
Used to define VLANs and assign switch ports accordingly. This device enables traffic control and
logical separation between departments within the organization.

2) Router with Inter-VLAN Routing Capability:

Required for enabling controlled communication between VLANs. A router or Layer 3 switch is
used to handle inter-VLAN routing.

3) VLAN-Capable Wireless Access Points:

These access points provide secure wireless connectivity within each department. Each AP is
associated with a specific VLAN to ensure role-based access.

4) Cat6 Network Cable:

Used for wired connectivity with high bandwidth and minimal electromagnetic interference. Cat6
cabling supports the core LAN infrastructure.

5) RJ-45 Connectors and Crimping Tools:

Essential for terminating Ethernet cables and establishing physical network connections.

6) Network Rack (1U or Standard Size):

Ensures secure and organized installation of network devices in a controlled environment.

7) Uninterruptible Power Supply (UPS):

49
Provides backup power to protect network devices from unexpected power outages and ensure
continuous operation.

Software Tools:
1) Network Simulation Software (Cisco Packet Tracer):
Used for simulating and testing the network topology before actual deployment. It allows
validation of configurations and troubleshooting.

2) Network Monitoring Software (e.g., PRTG or Zabbix):

These tools are used for real-time performance monitoring, identifying bottlenecks, and logging
security events within the network.

3) Technical Documentation and User Manuals:

Printed and digital documentation covering VLAN setup, ACL configuration, DHCP Snooping,
and general network maintenance, prepared for training and future reference.
During the implementation phase, all listed equipment will be procured and installed according to
project requirements. This standard equipment list ensures optimal performance, enhanced
security, and future scalability of the network.

7.2 Physical Installation and Setup Process

This section outlines the steps taken for the physical installation of network equipment and the
initial setup of the VLAN-based LAN system for Afghan Global Insurance. The process includes
equipment installation, structured cabling, device placement, and preparation of communication
infrastructure.

The implementation steps include the following:

1) Structured Cabling:
Cat6 cables were installed from the main rack to each workstation to ensure a stable wired
connection between clients, servers, and networking devices.

2) Installation of Switches, Router, and Equipment in the Rack:

All core devices were securely mounted in a standard network rack. Port arrangements and cable
organization were carefully labeled for clarity and ease of maintenance.

3) Deployment of Wireless Access Points:

50
Wireless access points (APs) were installed in key departmental areas and connected to trunk ports
on switches to support VLAN-tagged wireless traffic.

4) Uninterruptible Power Supply (UPS) Setup:

A UPS was connected to the critical network devices to protect against unexpected power failures
and ensure uninterrupted operation.

5) Initial Inspection and Connectivity Testing:

After installation, initial tests were performed to verify cable integrity, port functionality, and
access point status.

Outcome:
Upon completing these steps, the physical infrastructure of the network was fully prepared,
enabling the logical configuration of VLANs and implementation of network security features.

7.3 VLAN, Router, and Switch Configuration

This section describes the logical configuration of the network, including VLAN definitions, port
assignments, inter-VLAN routing, and the application of Access Control Lists (ACLs). This step
was crucial to ensure traffic isolation, enforce security policies, and control access between
different departments within the organization.

Configuration Steps:
1) VLAN Definitions:
Separate VLANs were created for each department within the organization. For example:
o VLAN 10: Information Technology (IT) Department
o VLAN 20: Finance and Human Resources
o VLAN 30: Reception and Customer Services

2) Switch Port Assignment (Access Ports):

Switch ports were manually assigned to their corresponding VLANs to ensure that each device
remains logically isolated within its own VLAN.

3) Trunk Port Configuration:

Trunk ports were configured to carry multiple VLANs between switches and between switches
and the router. These ports use the IEEE 802.1Q protocol to tag VLAN traffic.

51
4) Inter-VLAN Routing:
A router or Layer 3 switch was used to enable controlled communication between VLANs. This
routing ensured that only authorized traffic could pass from one VLAN to another.

5) Access Control List (ACL) Implementation:

ACLs were configured to restrict traffic between VLANs. For example, reception staff were
allowed access only to specific servers but were denied access to sensitive financial or
administrative resources.

7.4 Enabling Port Security, DHCP Snooping, and ACL

To enhance the security of the VLAN-based network designed for Afghan Global Insurance, it is
crucial to implement key Layer 2 and Layer 3 security mechanisms. This section covers the
configuration of three essential technologies: Port Security, DHCP Snooping, and Access Control
Lists (ACLs).

7.4.1 Port Security

Port Security is a vital Layer 2 security feature that limits the number of devices allowed to connect
through a specific switch port. It helps prevent attacks such as MAC flooding. In this project, Port
Security was enabled on access ports of each VLAN to allow only authorized MAC addresses to
connect.
Example Cisco switch configuration:

Figure 13: configuration of layer 2 port security

52
7.4.2 DHCP Snooping
DHCP Snooping protects the network from rogue DHCP servers by allowing DHCP responses
only from trusted ports. This prevents unauthorized devices from issuing incorrect IP
configurations. In this implementation, the port connected to the DHCP server was marked as
"trusted", while all other access ports were set as untrusted.
Example configuration:

Figure 14: configuration for keeping ports secure

7.4.3 Access Control Lists (ACLs)

ACLs are used to strictly control inter-VLAN communication by defining which devices or
services are allowed to communicate. These rules were applied on the router or Layer 3 switch to
ensure restricted access. For instance, the Finance VLAN was allowed to communicate only with
a specific server in the IT VLAN over HTTPS.
Example configuration:

Figure 15: creating an access list in router

53
By implementing these three features, the designed network significantly improves its protection
against common internal threats, ensures logical segmentation, and provides better administrative
control. This results in both enhanced security and improved network performance.

7.5 Employee Training

The successful implementation of any network infrastructure is not complete without ensuring that
the organization's personnel are adequately trained to manage, monitor, and maintain the system.
In this section, the training plan for Afghan Global Insurance’s IT staff is presented, focusing on
the operational management of the VLAN-based LAN.

7.5.1 Training Objectives

The primary objective of the training session is to enable IT staff to:
• Understand the concept and structure of VLAN-based segmentation.
• Perform basic configuration and troubleshooting of VLANs and Access Control Lists (ACLs).
• Monitor DHCP snooping logs and port security violations.
• Add or remove users within VLAN boundaries.
• Respond effectively to common security incidents and networking faults.

7.5.2 Training Modules

The training is divided into the following key modules:

1. VLAN Fundamentals
o Introduction to VLAN concepts, tagging, trunking
o VLAN-to-port assignment and verification

2. Inter-VLAN Routing and ACLs

o Layer 3 communication principles
o Creating, editing, and applying ACLs for secure routing

3. Layer 2 Security Features

o Enabling and interpreting DHCP snooping logs
o Configuring port security on switches
o Understanding violation modes (protect, restrict, shutdown)

4. Network Monitoring Tools

54
 o Overview of tools such as Wireshark, PRTG, or Zabbix
o Basic SNMP-based device monitoring

5. Hands-on Lab Sessions

o Simulating real-world scenarios using Cisco Packet Tracer
o Troubleshooting exercises (ping failures, VLAN misconfigurations, ACL blocks)

7.5.3 Training Delivery Format

The training program was delivered over one day through a combination of:
• Instructor-led sessions
• Visual presentations (PowerPoint)
• Hands-on practical labs
• Q&A discussion blocks
Training materials, including quick-reference sheets and configuration templates, were provided
to all participants for future use.

7.6 Project Execution Timeline

The implementation of the VLAN-Based network for Afghan Global Insurance is planned over a
structured six-week schedule. The following timeline breaks the project into distinct phases to
ensure an organized, effective, and trackable deployment process.

7.7 Project Timeline (6 Weeks)

Responsible
Phase Activities Duration Start Date End Date
Party
Site survey,
stakeholder Project
Requirement Week 1 Week 1
interviews, 4 days Manager,
Gathering (Monday) (Thursday)
infrastructure Analyst
analysis

55
 IP planning, VLAN
assignments, Week 1 Week 2 Network
Network Design 5 days
topology design, (Friday) (Thursday) Engineer
hardware listing

Equipment
Procurement & preparation, cable Week 2 Week 3 Procurement
3 days
Prep setup, initial (Friday) (Tuesday) Officer
documentation
Cabling,
Physical Week 3 Week 4 Installation
switch/router setup, 5 days
Installation (Wednesday) (Tuesday) Technician
rack mounting
VLAN ID creation,
VLAN trunk port setup, Week 4 Week 5 Network
4 days
Configuration inter-VLAN routing, (Wednesday) (Monday) Engineer
ACL configuration
Enable DHCP
Security Snooping, Port Week 5 Week 5 Security
2 days
Implementation Security, BPDU (Tuesday) (Wednesday) Engineer
Guard
Connectivity tests, QA Team,
Testing & Week 5 Week 5
ping check, VLAN 2 days Network
Troubleshooting (Thursday) (Friday)
and ACL verification Engineer
Training on VLAN,
ACL, monitoring Week 6 Week 6 Project Lead /
IT Staff Training 1 day
tools, basic (Monday) (Monday) Trainer
troubleshooting
Delivery of
Final Handover & Week 6 Week 6 Documentation
diagrams, configs, 2 days
Documentation (Tuesday) (Wednesday) Team
and user manuals

56
 CHAPTER VIII

CONCLUSION

This monograph presented the design and implementation of a secure, VLAN-based Local Area
Network (LAN) for Afghan Global Insurance, aiming to address the limitations of a traditional flat
network and to enhance security, scalability, and manageability within the organization.

8.1 Purpose and Problem Summary

The primary objective was to create a logically segmented network where each department could
operate independently and securely. The core problem identified was the lack of network isolation,
which led to excessive broadcast traffic, high vulnerability to internal threats, and inefficient
resource allocation. The solution was to design and deploy a VLAN-based infrastructure supported
by routing, access control, and security mechanisms.

8.2 Achievements and Contributions

This project successfully demonstrated:
• Department-based VLAN segmentation (IT, Finance, HR, Customer Service)
• Inter-VLAN routing using a Layer 3 router with ACL enforcement
• Layer 2 security features such as Port Security and DHCP Snooping
• A fully functional simulation using Cisco Packet Tracer
• Staff training and structured documentation to ensure sustainability
These contributions improved the network’s performance, minimized security risks, and ensured
clarity in traffic management.

8.3 Interpretation and Final Reflections

From a technical perspective, the VLAN-based approach proved to be highly effective in reducing
unnecessary traffic, enforcing policy-based access, and creating a scalable architecture. As a
student researcher, this project also provided valuable insight into real-world network planning,
device configuration, and user training—skills essential for future work in enterprise networking
environments.

57
8.4 Limitations and Constraints
To simplify the scope of the project, certain constraints were adopted:
• Redundant routing and link failover were not implemented.
• Centralized authentication methods (e.g., RADIUS) were omitted.
• The design assumed limited user mobility between VLANs.
These simplifications were made deliberately to keep the project manageable and focused on core
VLAN security concepts.

8.5 Recommendations for Future Work

Future developments can enhance the design by:
Adding redundancy and load balancing to improve availability
• Implementing centralized authentication with RADIUS/TACACS+
• Integrating advanced monitoring and alert systems
• Extending the VLAN architecture to branch offices via VPN
• Automating configuration management using tools like Ansible
These improvements would allow the system to serve larger enterprises and ensure even stronger
security and operational resilience.

8.6 Final Remarks

This project proves that by leveraging industry-standard technologies like VLAN, ACL, and
DHCP security, organizations in Afghanistan can build affordable and reliable networks without
relying on overly complex or costly solutions. It is hoped that this monograph will serve as a
reference for similar institutions seeking practical steps to improve their IT infrastructure.

58
REFERENCES

Cisco Systems. (2021). Cisco Validated Design for Secure VLAN Implementation. Cisco Press.
Retrieved from https://www.cisco.com
Wang, L., Zhang, Y., & Chen, X. (2019). Secure Network Design Using VLANs. International
Journal of Computer Networks & Communications, 11(5), 1–10.
NIST. (2020). Special Publication 800-53: Security and Privacy Controls for Federal Information
Systems and Organizations. National Institute of Standards and Technology. Retrieved from
https://csrc.nist.gov
NIST. (2018). SP 800-115: Technical Guide to Information Security Testing and Assessment.
National Institute of Standards and Technology.
ISO/IEC 27001. (2013). Information Technology – Security Techniques – Information Security
Management Systems – Requirements. International Organization for Standardization.
Sharma, R., Patel, A., & Singh, M. (2020). Enhancing Data Security in Insurance Networks
through VLAN Segmentation: A Case Study. Journal of Network Security Studies, 8(2), 23–32.
IEEE Standards Association. (2014). IEEE Std 802.1Q™-2014 – IEEE Standard for Local and
Metropolitan Area Networks – Bridges and Bridged Networks. Retrieved from
https://standards.ieee.org
CompTIA. (2022). CompTIA Network+ Certification Guide. CompTIA Press.
MikroTik. (2021). RouterOS VLAN and Firewall Configuration Guide. Retrieved from
https://wiki.mikrotik.com
Cisco Networking Academy. (2020). Switching, Routing, and Wireless Essentials Companion
Guide. Cisco Press.

59