2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia
Performance Evaluation of Data Center Network
with Network Micro-segmentation
1st Muhammad Mujib
Departement of Electrical Engineering
University of Indonesia
Depok, Indonesia
[email protected]
[email protected]
Abstract—Research on the design of data center
infrastructure is increasing, both from academia and industry,
due to the rapid development of cloud-based applications such
as search engines, social networks, and large-scale computing.
On a large scale, data centers can consist of hundreds to
thousands of servers that require systems with high-
performance requirements and low downtime. To meet the
network's needs in a dynamic data center, infrastructure of
applications and services are growing. It takes a process of
designing a network topology so that it can guarantee
availability and security. One way to surmount this is by
implementing the zero trust security model based on micro-
segmentation. Zero trust is a security idea based on the principle
of “never trust, always verify” in which no concepts of trust and
untrust in network traffic. The zero trust security model
implemented network traffic in the form of untrust.
Microsegmentation is a way to achieve zero trust by dividing a
network into smaller logical segments to restrict the traffic. In
this research, data center network performance based on
software-defined networking with zero trust security model
using micro-segmentation has been evaluated using a testbed
simulation of Cisco Application Centric Infrastructure by
measuring the round trip time, jitter, and packet loss during
experiments. Performance evaluation results show that micro-
segmentation adds an average round trip time of 4 μs and jitter
of 11 μs without packet loss so that the security can be improved
without significantly affecting network performance on the data
center.
Keywords—data center network, micro-segmentation,
software defined networking, zero trust security
I. INTRODUCTION
Data center network requirements can be met using
interconnected switches, which is referred to as data center
networks in this paper [1]. In its application, most of the data
center network technology uses ethernet technology. The use
of Ethernet technology on data center networks is
implemented using the Ethernet-switched or Internet
Protocol-routed (IP- routed) method. Ethernet-switched and
IP-routed, each has advantages and disadvantages; one of the
essential factors to consider is one a high level of flexibility in
development. Flexibility aims to meet the availability of
networks for interconnection from thousands to millions of
servers if one day is needed on a data center network.
Somethings that need to be considered in technology selection
are the ability to handle massive traffic (packet forwarding),
routing features efficiently, and the ability to process
migration on a virtual machine (VM) [2].
Problem-solving in data center networks using approaches
by following IETF standards is an interesting topic. Greenberg
et al. [3] and Zhang et al. [4] explain the problems that are
often encountered in data center networks, among others, in
terms of flexibility of development (scalability), data integrity,
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
978-1-7281-1097-4/20/$31.00 ©2020 IEEE
2nd Riri Fitri Sari
Departement of Electrical Engineering
University of Indonesia
Depok, Indonesia
throughput, and the level of availability. The flexibility of
development (scalability), in addition to the flexibility in
installing a large number of servers and the flexibility in
progress are essential factors in the future. Another problem
with data center network systems is the use of static resources
using VLAN mechanisms based on each application's needs.
In addition to the advantages of VLANs in terms of
performance and network traffic isolation, VLANs is lacking
on the agility. This is because the concept of VLAN integrates
many aspects such as network traffic management, security
and isolation performance, and traffic on a VLAN becomes
one, causing a high level of oversubscription on core
networks. In conventional data center networks, the design of
load balancing mechanisms is limited by the applications
deployed. The fragmentation of resources sorted out this
problem by dividing them into smaller subnets to restrict
access to resources that are not needed at the same time. We
conducted simulations to determine micro-segmentation
performance by measuring round trip time, jitter, and packet
loss on east-west data center traffic using a testbed simulation.
This research was conducted on east-west traffic using SDN
technology that focuses on data centers that makes the
network more flexible, dynamic, and cost-effective. SDN can
simplify the complexity of operations, thereby increasing
performance on network systems [5]. The testbed simulation
using a Cisco Application Centric Infrastructure (ACI) is
based on software-defined networking with zero trust security
model based on micro-segmentation because of
programmable fabrics, dynamically provisioned, and scalable,
Cisco ACI is the best choice [6].
The structure of the rest of this paper is as follows. We
provide the related work in Section 2. In Section 3, we
show the material and method. Section 4 presents the
results and discussion for the evaluation performance of
micro-segmentation simulation in detail and provides
evaluation performance studies. In Section 5, we offer a
conclusion and future work.
II. RELATED WORKS
Hernandez, L. et al. [7] conducted research using the
methodology of preparation, planning, design,
implementation, operation, and optimization (PPDIOO) by
building and comparing conventional IP network simulation
systems and Software-Defined Networking (SDN).
Traditional IP network simulations run on Enhanced Interior
Gateway Routing Protocol (EIGRP) and Border Gateway
Protocol (BGP) protocols using GNS3 simulators. In
contrast, SDN-based network simulation systems with
OpenFlow protocols and POX controllers use Mininet
simulators. In this study, the variables on network
performance measured and compared are delay, throughput,
and jitter. The test was carried out using a ping mechanism
27
 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia
using IPv4 and IPv6 as many as 500 data packets with
variable-size data sent by 200 Bytes, 1,000 Bytes, 10,000
Bytes, and 15,000 Bytes. In the process of measurement with
the ping mechanism, traffic recording is recorded on the
network using the Wireshark tool, the results used as analysis
material. The study results showed that the measurement
results using an SDN-based network system showed better
performance than using a traditional IP-based network
system both in measurements using IPv4 and IPv6. On the
other hand, the SDN network system is a new technology in
network design and implementation that is dynamic, flexible,
and easy to implement for current network and application
needs.
Kasi, A. A., et al. [8] conducted a study using the testbed
simulation method by analyzing the core switch network's
performance by building a testbed simulation using a switch
device with different brands and types, namely 3Com 3500
and Cisco 3550. The study was conducted by developing a
testbed simulation system with five topology systems. The
difference is topology without VLAN, topology with the
same VLAN (intra-VLAN), topology with different VLANs
(inter-VLAN), topology with different VLANs and operating
systems, and topologies with spanning tree protocols. The
variables used to measure performance are consistency,
throughput, and latency. Performance measurement is done
by sending a data packet of 589 MB. As many as eight times,
the transmission is made between 2 computer systems using
the FileZilla tool and then recording the traffic using the
Wireshark tool for the analysis process. In addition to this,
measurements were made using the ping mechanism and
recording using Wireshark to determine the topology's
performance with the spanning tree protocol. The results of
performance measurements using a testbed simulation with
five scenarios show that 3Com shows a consistent
consistency but is lower than Cisco, which shows
inconsistent consistency. Cisco shows better data
transmission compared to 3Com. On the other hand, 3Com
shows better performance in sending data at the Layer 2
mechanism. Based on the results of performance
measurements show that Cisco has better performance when
it functions as a distribution and core layer (L3). In
comparison, 3Com has better performance can be operated as
access ( L2).
Vuletic, D. V. et al. [9] conducted research to measure
computer systems' performance against distributed denial of
services (DDoS) attacks. The study was carried out by
building the same network system between the victim and the
Windows operating system and the attacker with the Linux
operating system (Kali Linux). Testing is done by running the
ping mechanism and carrying out DDoS attacks using the
hping3 tool from Kali Linux. Hping3 is a free tool that can be
used to simulate network traffic in the form of TCP / IP
protocol by generating network traffic according to needs
such as TCP Sync flood to flood network channels so that the
availability of network systems is disrupted. The results of
testing using hping3 show that DDoS attacks succeeded in
disrupting service performance for victims. The result is
indicated in the CPU process has increased. On the other
hand, monitoring attack suggests that the ping process means
a request time out so that the service becomes unavailable.
Surantha, N. et al. [10] conducted a study to test the
performance of network system security design using
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
28
planning, design, implementation, operation, and
optimization (PDIOO) and building a testbed simulation
environment in the form of a cubicle container system design
by implementing network security using a zero trust model.
Tests on the testbed simulation environment in the way of
propagation of data transmission paths in network traffic
(routing) using the BGP protocol and port scanning using the
Nmap tool. The test is carried out using the concept of zero
trust in which all network traffic is considered untrustworthy
by applying a configuration that rejects all network traffic.
The test results show that the testbed simulation's design
using the zero trust security model was successfully
implemented by preventing attacks in the form of route
hijacking and scanning on the network from external parties
by applying a configuration on the perimeter firewall. On the
other hand, the use of labels on Kubernetes is used to limit
network traffic to the internal container environment by
restricting communication to unidentified and unauthorized
network traffic, looking at the tags used on the test
mechanism.
III. THE MATERIAL AND METHOD
A. Software Defined Networking
Software-Defined Networking (SDN) is a relatively new
technology for designing and controlling network devices, so
that limitations on network devices can be overcome, using
two methods [11]. First, the separation between the control
plane and the data plane; in this case, the network device
functions only to forward the data packet so that it becomes
simpler and improves performance. Second, the division of
vertical integration functions in logical systems that control
the network with network devices that forward data packets.
Logical tasks that control the network can be implemented
using a centralized controller to facilitate the configuration
and application of policies relating to the system. Besides, the
separation of the control plane with the data plane aims to
promote the development of innovation by adding other
features on the network such as load balancing, firewalls,
IDS/IPS, and others.
Fig. 1. Architecture of SDN [12]
Fig. 1 shows the architecture of SDN. According to S.
Sezer et al. [12], there are four ways to identify SDN
technology. First, there is a separation in the control plane and
the data plane, so that the device functions only forward the
data packet. In contrast, the device control process is done
separately using a controller. Second, monitoring all
components of network devices can be done using a
centralized controller. Third, the protocol used to
communicate between the controller and the device. Fourth,
network programming can be done using external applications
(third-party).
 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia
B. The Zero Trust Security Model
The zero trust security model is a security concept that is
based on the principle of never trust, always verify. The core
concept of zero trust is that there are no more trusted, untrusted
user interfaces, networks, and users in the security device.
Fig. 2. All interface are untrust [13]
Fig. 2 shows that zero trust treats all network traffic as
untrusted. Zero trust does not say that employees cannot be
trusted, but trust is a concept that should not be applied by
information security. The zero trust security model's basic
idea is to verify and secure all resources, tightly restrict access,
control, check, and record all network traffic [13]. First, the
application of security and verification of resources is carried
out on all access regardless of the source originating. All
traffic is considered a threat and is not trusted so that traffic is
authorized, checked, and secured. The application of internal
security is carried out as the case with external protection.
Second, access restrictions are strictly implemented by
applying access controls correctly by the rules made so that
access to resources is limited.
C. The Advantage of Zero Trust Security Model
The conventional security model uses the concept of trust
and untrust in network traffic, from now on, referred to as the
perimeter concept [14]. In building conventional security
models, an organization's concept of the perimeter has been
used to facilitate access from outsiders so that the mitigation
process against attacks can run optimally. In the perimeter
concept, the capability is needed in securing using security
devices such as firewalls and VPNs. The need for security
increases with the development of technologies such as cloud
computing and the internet of things that cause cyber attacks,
making the perimeter concept did not run optimally in
preventing cyber attacks. This concept is not worth the
investment that has been spent to build the idea of the
perimeter. At present, the need for a security system is
essential to improve organizational security [13], with a zero
trust security model [14].
Implementing a zero trust security model can provide a
high-security system, so it has a positive impact on business
processes, such as the company's visibility in protecting
customer data. The adoption of a zero trust security model can
provide benefits from the organization's side to external
parties with a good reputation in implementing security
systems and budget savings in security system audits. On the
inner side of the company, it has high feasibility and use of
time to be efficient in monitoring security systems with high
visibility, thereby reducing the complexity of implementing
security systems. Service needs and easy maintenance of
security systems are other benefits that can be obtained by
applying zero trust [15]. The zero trust security model cannot
be 100% fully capable but can mitigate well and reduce the
occurrence of cyber-attacks [16].
Cisco's zero trust is a thorough approach to securing all
access by networks, applications, and environments. One of
the zero trust security models at Cisco is zero trust for
workloads, which minimizes lateral movements that comprise
breaches with micro-segmentation using Cisco ACI [17].
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
29
D. Micro-segmentation
Micro-segmentation is a way of dividing networks into
smaller segments to limit network traffic. Micro-
segmentation has an advantage over traditional perimeter
security systems in that a smaller section can reduce the
broader damage from malicious software (malware) attacks,
and access to resources can be controlled based on
established rules [18]. Micro-segmentation is an
implementation of a distributed firewall that regulates access
to network traffic based on security rules that have been
determined on each resource. At present, both Cisco ACI and
VMWare NSX are leading vendors in micro-segmentation,
each of which has advantages and disadvantages [19]. Fig. 3
shows the concept of micro-segmentation in east-west
network traffic in the data center.
Northbound Interface (REST APIs)
Distributed Firewall Manager
Southbound Interface
East-West Traffic
VSwitch VSwitch
VM1 VM2 VM3 VM4 VM5 VM6
NIC NIC NIC NIC
North-South Traffic
Fig. 3. Micro-segmentation concept [19]
Along with the development of software-defined
networking (SDN) and software-defined data center (SDDC),
micro-segmentation is now an increasingly popular
technology because it has a high level of security and
flexibility in its implementation. Micro-segmentation
facilitates work in network administration and enforcement
of security rules in data centers. With micro-segmentation,
smaller segments can limit access rights on users,
applications, and servers. Thereby it reduced the more
extensive damage from malware attacks. Besides, access to
resources can be controlled based on rules that have been
made [19].
E. Cisco Application Centric Infrastructure (ACI)
Cisco Application Centric Infrastructure (ACI) is a
concept in software-defined networking (SDN) by
implementing architecture under application requirements.
That way, that network implementation can be adjusted based
on application requirements. This architecture aims to
simplify, optimize, and accelerate an application's
development cycle. The Cisco Application Policy
Infrastructure Controller (APIC) is an application
programming interface (API) used to connect applications,
the network, and storage securely. APIC makes it easy for
network administrators to define the optimal network for an
application. APIC provides management and automation, use
 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia
of policies by programming, application implementation,
monitoring the condition of the fabric, and regulating the
scalability of various tenants in the fabric [20].
Cisco ACI fabric consists of Cisco Nexus 9000 series and
APIC built using ACI leaf/spine fabric by adopting a fat-tree
network topology that connects each leaf switch to the spine
switch controlled by APIC. In contrast, all devices are
connected to the leaf switch. The recommended
configuration on APIC uses a minimum of 3 servers in
groups. ACI fabric can send traffic with low lag times
because it runs on networks with a bandwidth capacity of 40
Gigabit per second (Gbps). Network traffic from the source
and destination on the same leaf will be carried out locally,
while traffic from the source and destination on the different
leaf will pass through the spine first. The ACI fabric
architecture runs on L3 even though there are only two hops
physically [20].
End Point Group (EPG) is an object that can be controlled
and is called a logical entity that contains a set of endpoints
(endpoints). Endpoints are resources that are connected to the
network both directly and indirectly and have addressed
(identity), location, attributes, and can be either physical or
virtual resources. EPG is wholly separated from physical and
logical topology. Servers, virtual machines, and network-
attached storage are examples of endpoints that can be
dynamic or static. Micro-segmentation in Cisco ACI is the
interconnecting endpoints of several EPGs into micro-
segmented EPGs based on machine attributes, IP address, or
MAC address. Virtual machines can have vNIC domain name
attributes, VM markers, VM names, hypervisor markers,
VMM domains, datacenter, operating systems, or self-
defined attributes [20].
F. Methods and Design Scenario
We conducted this research using the Preparation,
Planning, Design, Implementation, Operation, and
Optimization (PPDIOO) methodology.
Fig. 4. PPDIOO Methodology
Fig. 4 shows the PPDIO methodology from Cisco [21] that
defines the cycle in building a network system with
sustainable services for providing a high level of availability.
Fig. 4 shows the process's stages to be carried out to produce
an output target by the research objectives.
A testbed simulation system to test performance was built
using an SDN-based network system based on a micro-
segmentation-based zero trust security model. The testbed
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
30
simulation infrastructure built consisted of network
infrastructure using Cisco ACI as an illustration of a data
center network system with a research focus on east-west
traffic. While the server infrastructure as an illustration of the
application system services consisting of 3 tier applications,
namely web server (web), app server (app), and database
server (DB), by using a virtual machine (VM). The test
scenario is carried out by measuring network performance in
the form of round trip time, jitter, and packet loss with and
without a micro-segmentation process, a feature that a
network system has on a Cisco ACI against 3 tier web
systems, apps, and DB. Fig. 5 shows the testbed simulation
topology.
Fig. 5. The testbed simulation topology
Testing on network performance can be done using many
variables. In this study, testing focused on three variables:
round trip time (RTT), jitter, and packet loss with and without
micro-segmentation processes on 3 tier web, app, and DB
systems. Round Trip Time (RTT) is a unit of time required to
send a packet the total time needed to initiate the
interconnection process and transmit data packets so that the
RTT is a delay time consisting of propagation time between 2
hosts in a network system. RTT in a network system is known
as ping time. Jitter is a variety of delays that occur in
consecutive nodes whose value depends on the burden of data
traffic and the amount of collision between packets in a
network system. The more significant weight of data traffic is
a factor that affects the chances of a more substantial collision,
changing the higher value of jitter. Packet loss is the
occurrence of failed data packet delivery to achieve its
destination.
The scenario of network performance testing is done by
sending data packets of 100 packets with significant data
variations of 200 bytes, 500 bytes, 1,000 bytes, 10,000 bytes,
and 15,000 bytes. Data packet delivery is carried out from the
web to the app and app to the DB by using the ping
mechanism. The data traffic is recorded using Wireshark for
analysis of Round Trip Time (RTT), jitter, and packet loss.
The results of network performance testing are carried out
with a micro-segmentation process. Without a micro-
segmentation process using a simulated ACI fabric testbed,
the results of both are analyzed. Network performance testing
is done using a test tool in the form of Wireshark to obtain
Round Trip Time (RTT), Jitter, and Packet Loss information.
Wireshark is a network packet analyzer that can function to
detect and display packets that pass through a network in
detail.
Fig. 6 shows the testbed simulation design without the
micro-segmentation process. We conduct the testbed
simulation design without a micro-segmentation on the ACI
fabric with the following steps. First, creating EPG, i.e., Web,
App, and DB, are in the same EPG as epg_all. Second,
 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia

configuring the BD and EPG epg_all with the aim of the Web
VM, App, and DB entering the network segment /24.
Fig. 6. Experiment without Micro-Segmentation Process
Fig. 7 shows the testbed simulation design with the micro-
segmentation process. We conduct the testbed simulation
design with a micro-segmentation on the ACI fabric with the
following steps. First, creating EPG, i.e., web, app, and DB, is
in a different EPG with epg_web, epg_app, and epg_db.
Second, configuring the BD and EPG epg_web, epg_app,
epg_db with the destination VM web, app, and DB entering
the network segment /24. Third, creating a contract (CT), a
policy on the network that regulates the interconnection
between epg_web to epg_app, epg_app to epg_db with access
policy in the form of ICMP (ping).
Fig. 7. Experiment with Micro-Segmentation Process
G. Components of The Testbed Simulation
Network infrastructure is a component that consists of
hardware and software used to build SDN-based network
system testbed simulations based on micro-segmentation-
based zero trust security models. Table 1 shows the testbed
simulation component consisting of leaf switches, spine
switches, and SDN controllers using the Cisco brand. Leaf
switches for interconnecting servers to network systems use
a 10 GB interface. Spine switch for interconnection between
leaf switches using a 40 Gb interface. SDN controller is used
to configuring the network system.
TABLE I. THE LIST OF A COMPONENT OF THE CISCO ACI
Name Bandwidth Type Firmware
Spine Switch 40 GB Nexus 9336PQ n900-14.2 (3I)
Nexus 9372PX
Leaf Switch 10 GB n900-14.2 (3I)
Nexus 93128TX
SDN Controller 10 GB APIC Cluster M-1 version 4.2 (3I)
IV. RESULT AND DISCUSSION
In this paper, the design and implementation of micro-
segmentation are built using Cisco ACI. Subsequently, we
created three application tiers in the form of a Web, App, and
DB in one network segmentation /24. We conducted a testing
scenario using a ping mechanism with a variate data transfer
to evaluate the performance of the micro-segmentation
process. We compared the test results related to the concept of
micro-segmentation and without micro-segmentation.
Testbed simulation without a micro-segmentation process is
done by creating 3 tier web applications, apps, and DB in one
EPG with the name epg_all, which contains a Web, App, and
DB. Testbed simulation with a micro-segmentation process is
done by creating 3 tier Web, App, and DB in 3 EPG, each with
epg_web, epg_app, and epg_db.
Testing the performance of testbed simulation with and
without a micro-segmentation process is done by sending data
packets using the ping mechanism. Data packet delivery is
done from the Web to the App server and App server to the
DB server, with a large variety of 200 bytes, 500 bytes, 1,000
bytes, 10,000 bytes, and 15,000 bytes many as 100 times the
delivery.
Fig. 8 and Fig. 9 show that the average RTT that occurs
from the Web to the App in the measurement process without
a micro-segmentation process is better than measurement with
a micro-segmentation process. Still, the difference in delay is
only in the microsecond unit, so it will not affect the network
performance significantly. In RTT measurements, the results
show that the testbed simulation without running a micro-
segmentation process with the lowest average RTT of 285 µs
is better than the testbed simulation by running a micro-
segmentation process of 289 µs on sending 200-byte and 500-
byte data packets. The average addition of 4 µs. These results
show that one of the factors that affect the RTT value is the
size of the data packet sent and the security policy
implemented in the micro-segmentation process.
Fig. 8. Average Web RTT measurement results to App

Server infrastructure is a component consisting of

hardware and software used to build a testbed simulation
system using 3 tier web applications, apps, and DB. The
server infrastructure used is based on a virtual machine (VM)
under the VMWare brand name. Table 2 shows the testbed
simulation component in the form of 3 tier Web, App, and
DB.
TABLE II. VIRTUAL MACHINE SPECIFICATION TESTBED
Name vMemory vCPU Operating System
Fig. 9. Average App RTT measurement results to DB
Web 2 GB 1 vCPU Linux Ubuntu
Application 2 GB 1 vCPU RHEL 7.8 Fig. 10 and Fig. 11 show that the jitter in measurements
without a micro-segmentation process is better than the test
Database 4 GB 2 vCPU RHEL 7.8 with a micro-segmentation process. The micro-segmentation

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
31
 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta,
Indonesia
process will pass a security policy in the form of a contract
(CT) that has been configured on the ACI fabric. In jitter
measurement, the results show that the testbed simulation
without running a micro-segmentation process with the lowest
jitter of 293 µs is better than the testbed simulation by running
a micro-segmentation process 304 µs on sending 500-byte
data packets. The average addition of jitter is 11 µs.
Fig. 10. Jitter measurement results from Web to App
Fig. 11. Jitter measurement results from App to DB
In packet loss measurement, the results show that the
testbed simulation without and with the micro-segmentation
process succeeded in sending a data packet with no packet
loss. These results indicate there is no collision and congestion
in network traffic, because the Cisco ACI concept develops as
a single switch to the outside world, proficient in bridging and
routing. Moving Layer 3 routing to the access layer would
restrict the Layer 2 reachability by decoupling Layer 2
domains.
V. RESULT AND DISCUSSION
The results of the analysis of the research have been done
by measuring the testbed simulation show that micro-
segmentation adds an average round trip time of 4 µs and jitter
of 11 µs without packet loss. Based on these results, the
security of the data center network can be improved without
significantly affecting network performance.
Future work uses a test scenario of high traffic compared
to low traffic in the network so that performance comparisons
can be obtained. Another approach the performance of a zero
trust security model based on micro-segmentation using
brands from other vendors such as NSX VMware.
ACKNOWLEDGMENT
We thank the University of Indonesia for financial support
for this research under the PUTI Prosiding Grant number
NKB-1073/UN2.RST/HKP.05.00/2020.
REFERENCES
[1] M. Al-Fares, A. Loukiss and A. Vahdat, "A Scalable, Commodity
Data Center Network Architecture," ACM SIGCOMM Computer
Communication Review, vol. 38, no. 4, p. 63–74, 2008.
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 11:38:18 UTC from IEEE Xplore. Restrictions appl
32
[2] L. Yang, J. K. Muppala, M. Veeraraghava, D. Lin and M. Hamdi,
Data Center Network Topologies, Architecture and Fault-Tolerance
Characteristics, London: Springer, 2013.
[3] A. Greenberg, J. Hamilton and D. A. Maltz, "The Cost of a Cloud:
Research Problems in Data Center Networks," ACM SIGCOMM
Computer Communication Review, vol. 39, no. 1, pp. 68-73, 2009.
[4] Y. Zhang and N. Ansari, "On Architecture Design, Congestion
Notification, TCP Incast and Power Consumption in Data Centers,"
IEEE Communications Surveys & Tutorials, vol. 15, no. 1, pp. 39 -
64, 2013.
[5] K. Bakshi, "Considerations for Software Defined Networking
(SDN): Approaches and Use Cases," in 2013 IEEE Aerospace
Conference, Big Sky Montana, 2013.
[6] P. Ijari, "Comparison between Cisco ACI and VMWARE NSX,"
IOSR Journal of Computer Engineering. (IOSR-JCE), vol. 19, no. 1,
pp. 70-72, 2017.
[7] L. Hernandez, G. Jimenez and A. Pranolo, "Comparative
Performance Analysis Between Software-Defined Networks and
Conventional IP Networks," in 5th International Conference on
Science in Information Technology (ICSITech), Yogyakarta, 2019.
[8] A. A. Kasi, F. Khan, B. A. Ahmed, S. Rashid and S. Waseem,
"Performance Analysis of Homogenous and Heterogenous Network
Core Switches," in 2017 International Symposium on Wireless
Systems and Networks (ISWSN), Lahore, 2017.
[9] D. V. Vuletić and N. D. Nojković, "Realization of A TCP Syn Flood
Attack using Kali Linux," Military Technical Courier, vol. 66, no.
3, pp. 640-649, 2018.
[10] N. Surantha and F. Ivan, "Secure Kubernetes Networking Design
Based on Zero Trust Model: A Case Study of Financial Service
Enterprise in Indonesia," Advances in Intelligent Systems and
Computing , vol. 994, pp. 348-361, 2019.
[11] D. Kreutz, F. M. V. Ramis, P. E. Verissimo, C. E. Rothenberg, S.
Azodolmolky and S. Uhlig, "Software-Define Networking: A
Comprehensive Survey," Proceedings of the IEEE , vol. 103, no. 1,
pp. 14-76, 2015.
[12] S. Sezer, S. . S. Hayward, Pushpinder , B. Fraser, D. Lake, J.
Finnegan, N. Viljoen, M. Miller and N. Rao, "Are We Ready for
SDN? Implementation Challenges for Software-Define Networks,"
IEEE Communications Magazine, vol. 51, no. 7, pp. 36 - 43, 2013.
[13] J. Kindervag, "Build Security into Your Network’s DNA: The Zero
Trust Network Architecture," Forrester Research Tech. Rep,
Cambridge, 2010.
[14] E. Gilman and D. Barth, Zero Trust Networks, Sebastopol: O’Reilly
Media Inc, 2017.
[15] Akamai, "https://www.akamai.com," June 2018. [Online].
Available: https://www.akamai.com/us/en/multimedia/documents/
white-paper/the-6-business-and-security-benefits-of-zero-trust-
white-paper.pdf. [Accessed 07 June 2020].
[16] P. Assunção, "A Zero Trust Approach to Network Security," in
Proceedings of the Digital Privacy and Security Conference 2019,
Porto, 2019.
[17] Cisco, "https://www.cisco.com," Augustus 2019. [Online].
Available: https://www.cisco.com/c/en/us/products/collateral/
security/solution-overview-c22-742591.pdf. [Accessed 7 September
2020].
[18] Cisco, "Data Center Microsegmentation: Enhance Security for Data
Center Traffic," Cisco, San Jose, 2015.
[19] A. Chowdhary, D. Huang and S. Pisharody, "Microsegmentation,"
in Software-Defined Networking and Security: from Theory to
Practice, Boca Raton Florida, CRC Press Taylor & Francis Group,
2018, pp. 155-180.
[20] Cisco, "https://www.cisco.com," 28 August 2018. [Online].
Available: https://www.cisco.com/c/en/us/td/docs/switches/
datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-
Fundamentals.pdf. [Accessed 07 June 2020].
[21] P. Oppenheimer, Top-down Network Design, 3rd ed, Indianapolis:
Cisco Press, 2011.