Whispers & Screams
And Other Things

OSPF DR and BDR Election

Participating routers in an OSPF network have varying roles to play in ensuring that the processes which route the data around the network maintain a true and accurate picture of the network topology. The two primary roles in this structure are the Designated Router (DR) and the Backup Designated Router (BDR). Their roles, whilst primarily aimed at maintaining network function from a routing perspective, are equally focused on ensuring that network bandwidth used to accomplish this is used judiciously.

An Election


Consider a multi-access environment (such as LAN or MAN), where three or more routers are connected together. If all the routers in the OSPF network had to form adjacencies with every other OSPF router present, forming a fully meshed OSPF adjacency network, the resultant conceptualised routing mesh would be overly chatty flooding Link State Advertisements (LSAs) with each and every other OSPF router. As a direct result, router CPU load and network bandwidth would be consumed wastefully. OSPF is designed to be far more efficient in its use of these resources, and, in order to prevent this from happening, OSPF holds an election process to determine and fill roles named Designated Router (DR) and a Backup Designated Router (BDR) so that the workload of propagating routing information around the network is more effectively managed. Election for the DR and BDR is determined primarily on the Router Priority (which by default is 1) and the Router ID. If the value of the router interface priority is changed to 0, it prevents that router from becoming the DR or the BDR.

Router priority can be adjusted on Cisco routers on a per interface basis. The Router ID however is a 32-bit number that uniquely identifies the router in the Autonomous System. One algorithm for Router ID assignment is to choose the largest or smallest IP address assigned to the router. If a router's OSPF Router ID is changed, the router's OSPF software should be restarted before the new Router ID takes effect. Before restarting in order to change its Router ID, the router should flush its self-originated LSAs from the routing domain or they will persist for up to MaxAge minutes. Cisco uses a method that some other vendors choose to follow, but it is not a requirement. If you have a loopback interface, since that's the most stable interface on your router, that will be used. If there is no loopback interface, the highest IP address on the router is used. If there is more than one loopback then the highest of them is used. In many elections in OSPF, the higher RID wins. this is the logic for choosing higher over lower. It should be noted however that you can manually specify an RID that isn't even a valid ip address such as 224.1.1.1.

Drothers


The DR is the router which receives LSAs and other updates when there is a change in the inter-neighbor communications. These LSAs are sent out by the DROTHERS routers (all non-DR/BDR routers), and consequently, any further updates are propagated by the DR to the rest of the DROTHERS routers. The show ip ospf neighbor command, when executed, indicates the non-DR/BDR routers as DROTHERS. Every network segment in OSPF has a DR and a BDR.

The Process


What actually happens is that whenever there is a change in network routing status, instead of flooding each and every path with LSAs advertising new information about network topology, the update is only sent to the DR. The DR then takes on this job and floods the routers in its network segment with the update. If the DR fails or is not functioning, the BDR takes over. When this happens, the BDR replaces the existing DR as the new Designated Router, and a new BDR is elected.

Continue reading
332 Hits
0 Comments

Configuring 3G Wireless WAN on Modular and Fixed ISRs (HWIC-3G-GSM, HWIC-3G-HSPA, PCEX-3G-HSPA-x)

Cisco Integrated Services Routers are branch routers which support the new paradigms of network traffic delivery in the cloud and on the move. They provide Internet connectivity to teleworkers, and minor sites supporting less than 20 users. They also support bridging and routing between the LAN and the WAN whilst providing many advanced features such as antivirus protection.

 

The Third Generation (3G) Wireless High-Speed WAN Interface Card (HWIC) is a multiband, multiservice WAN card for use over WCDMA Radio Access Networks (RAN).

 

Both the fixed and the modular 3G routers can be used as the primary WAN connectivity and as a backup for critical applications which require a fallback service. 3G WAN is supported on the following modular Cisco ISRs: 800, 1841, 1861, 2800 series, 3800 series, 1900, 2900 and 3900.

 

One of the first actions required will be to configure a new 3G HWIC data profile.

 

To configure your 3G HWIC data profile, you will need the following information from your service provider:

 

Username (if required by your carrier)

 

Password (if required by your carrier)

 

Access Point Name (APN)

 

Once obtained, we can begin to set up the 3G features on the equipment itself by following these procedures:




    1. Data Account Provisioning

 

    1. Data Call Setup

 

    1. Voice Initiated Data Callback or Remote Dial-in (Optional)



In order to provision our data account we must have first obtained the key information from the service provider. The next priority is to ensure that we have the necessary service availability and signal strength in order for the connection to work. We need to use the following commands to examine the services available on the 3G network at the location in question.

    1. show cellular network - This displays info about the carrier network.

 

    1. show cellular radio - This shows the signal strength. We are looking for RSSI of -90dBm for a steady and reliable connection.

 

    1. show cellular security - This shows SIM lock status and modem lock status.



Once we have determined that the conditions are favourable we can go ahead and set up a modem data profile. To examine the existing data profiles configured on the equipment use the command show cellular profile. 

Assuming the profile we need is not already created we will need to go ahead and create it. In order to do this we use the command cellular gsm profile create . The syntax required is as follows:

cellular <slot/wic/port> gsm profile create <profile number> <apn> <authentication> <username> <password>

for example

cellular 0/0/0 gsm profile create 1 vodafone.apn chap 3guser 3guserpass

The data profile parameters are as follows:

    • apn - Access Point Name - This must be obtained from the service provider

 

    • authentication - Usually chap or pap

 

    • username - provided by service provider

 

    • password - provided by service provider



Once the data profile is properly set we then look to set up the parameters for the correct operation of the data call.

Firstly it is necessary to configure the cellular interface. The steps in summary are as follows:

1. configure terminal

 

2. interface cellular <slot/wic/port>

 

3. encapsulation ppp

 

4. ppp chap hostname <host>

 

5. ppp chap password 0 <password>

 

6. asynchronous mode interactive

 

7. ip address negotiated

 

The authentication parameters used here must be the same as those configured under the earlier GSM profile.

 

Once this is configured we need only configure the dialer and the steps for doing this in summary are as follows:

 

1. configure terminal

 

2. interface cellular <slot/wic/port>

 

3. dialer in-band

 

4. dialer idle-timeout <seconds>

 

5. dialer string <string>

 

6. dialer group <number>

 

7. exit

 

8. dialer-list <dialer-group> protocol <protocol-name> {permit | deny | list <access-list-number> | access-group}>

 

9. ip access-list<access list number>permit <ip source address>

 

10. line <slot/wic/port>

 

11. script dialer <regexp>

 

12. exit

 

13. chat-script <script name> "" "ATDT*98*<profile number>#" TIMEOUT <timeout value> CONNECT

 

14. interface cellular <slot/wic/port>

 

So that should be it. Assuming the router is properly configured elsewhere, the traffic should begin to flow using the 3G interface and everything should be working just fine. Of course sometimes things dont work out quite so smoothly and I will publish a post soon detailing the steps needed to troubleshoot these types of connections when they dont work as planned.

 

I hope this summary is useful and would appreciate your comments using the form provided below.

Continue reading
934 Hits
0 Comments

Cisco Open SOC

So a couple of days ago Cisco, it would seem, have finally released their new open source security analytics framework: OpenSOC to the developer community. OpenSOC sits conceptually at the intersection between Big Data and Security Analytics

OpensocThe current totalizer on the Breach Level Index website (breachlevelindex.com) sits at almost 2.4 billion data records lost this year so far which works out approximately 6 million per day. The levels of this data loss will not be dropping anytime soon as attackers are only going to get better at getting their hands on this information. There is hope however as even the best hackers leave clues in their wake although finding these clues in enormous amounts of analytical data such as logs and telemetry can be the biggest of challenges.

This is where OpenSOC will seek to make the crucial difference and bridge the gap. Incorporating a platform of anomaly detection and incident forensics, it integrates elements of the Hadoop environment such as Kafka, Elasticsearch and Storm to deliver a scalable platform enabling full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real-time search and telemetry aggregation. It will seek to provide security professionals the facility to detect and react to complex threats on a single converged platform.

The OpenSOC framework provides three key elements for security analytics:


    1. Context


      An extremely high speed mechanism to capture and store security data. OpenSOC consumes data by delivering it to multiple high speed processors capable of heavy lift contextual analytics in tandem with appropriate storage enabling subsequent forensic investigations.

 


    1. Real-time Processing


      Application of enrichments such as threat intelligence, geolocation, and DNS information to collected telemetry providing for quick reaction investigations.

 


    1. Centralized Perspective


      The interface presents alert summaries with threat intelligence and enrichment data specific to an alert on a single page. The advanced search capabilities and full packet-extraction tools are available for investigation without the need to pivot between multiple tools.



When sensitive data is compromised, the company’s reputation, resources, and intellectual property is put at risk. Quickly identifying and resolving the issue is critical, but, traditional approaches to security incident investigation can be time-consuming. An analyst may need to take the following steps:

    1. Review reports from a Security Incident and Event Manager (SIEM) and run batch queries on other telemetry sources for additional context.

 

    1. Research external threat intelligence sources to uncover proactive warnings to potential attacks.

 

    1. Research a network forensics tool with full packet capture and historical records in order to determine context.



Apart from having to access several tools and information sets, the act of searching and analyzing the amount of data collected can take minutes to hours using traditional techniques. Security professionals can use a single tool to navigate data with narrowed focus instead of wasting precious time trying to make sense of mountains of unstructured data.

Continue reading
359 Hits
0 Comments

Cisco Banners

A banner is a useful tool for sending a security message to selected visitors to the equipment. Cisco equipment uses four different banner types to provide different messages at different times and these types are exec process creation banner, incoming terminal line banner, login banner and message of the day banner.

Of these four types, message of the day is the most extensively used banner. Is message is seen by anybody connecting to the router whether they connect via Telnet, Aux port or Console port.

Screenshot_1

 

The image above shows the available types on the command line.

The most frequently seen type of banner is the Message of the day (MOTD) as mentioned above. When configuring this type of banner the following prompt is seen:

=================================================================================================

 

Router(config)#banner motd ?

 

LINE  c banner-text c, where 'c' is a delimiting character

 

Router(config)#banner motd #

 

Enter TEXT message.  End with the character '#'.

 

If you are not authorised to be using this router you must disconnect immediately.

 

#

 

Router(config)#^z

 

Router#

 

20:25:12: %SYS-5-CONFIG_I: Configured from console by console

 

Router#exit

 

Router con0 is now available

 

Press enter to get started.

 

If you are not authorised to be using this router you must disconnect immediately.

 

Router>


====================================================================================================

The most important part to understand is the delimiting character—this is the element that’s used to tell the router when the message is complete. Any character can be used as a delimiting character, but you can’t use the delimiting character in the message itself. Also, once the message is complete, press Enter, then the delimiting character, and then Enter again.

Below are some details of the other banners discussed:
Exec banner You can configure a line-activation (exec) banner to be displayed when an EXEC process (such as a line activation or incoming connection to a VTY line) is created. By
simply starting a user exec session through a console port, you’ll activate the exec banner.
Incoming banner You can configure a banner to be displayed on terminals connected to reverse Telnet lines. This banner is useful for providing instructions to users who use reverse Telnet.
Login banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner but before the login prompts. The login banner can’t be disabled on a per-line basis, so to globally disable it, you’ve got to delete it with the no banner login command.

Here is an example of a login banner:
!
banner login ^C
-----------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege
level of 15.
Please change these publicly known initial credentials using SDM or the IOS
CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use.
For more information about SDM please follow the instructions in the QUICK
START GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------
^C
!
The above login banner should look pretty familiar—it’s the banner that Cisco has in its default configuration for its ISR routers. Again, this banner is displayed before the login
prompts but after the MOTD banner.

Continue reading
362 Hits
0 Comments

Classful IP Addressing (IPv4)

cisco-ccna-subnetting-02IP addressing is among the most important topics in any examination of TCP/IP. The IP address is a 32 bit binary identifier which, when configured correctly, enables each machine on an IP network to be uniquely identified. It is used to allow communication with any specific device on the network.

An IP address is defined in software and is configured dynamically as needed by software whether controlled by a human or a software process (as opposed to a MAC address which is a permanent, hard coded hardware address which cannot be easily changed). IP addressing was designed to allow media independent communication between any two hosts on the same, or different, IP networks.

Terminology

As a precursor to looking at IP Addressing in some detail, lets define some basic terminology.

Byte - A byte is a unit of binary information in that most commonly consists of eight bits. In the course of this post, the term Octet will also be used to represent one and the same thing.

IP Address - An IP address is a 32 bit binary number which represents, when assigned to a network device, its unique Network Layer (Layer 3) address. IP addresses are commonly described in Dotted Decimal notation for ease of human readability. Dotted Decimal notation is the conventional way of describing an IP address eg. 192.168.1.1 and is formed by separating the 32 bit IP address into 4 x 8-bit Octets, converting each Octet into a decimal number between 0 and 255 and separating each of these Octets with a dot. An IP Address is also frequently referred to as a Network Address and the terms can be used interchangeably however IP Address is by far the most common.

Broadcast Address - On any IP Network, the Broadcast Address is the address used to send to all hosts which are members of and connected to the IP Network.

IP Addressing

As mentioned previously, an IP address is made up of 32 binary bits. It is extremely important to always bear this fact in mind when working with IP addresses as failing to do so can significantly impair ones ability to fully understand and manipulate the IP addressing system as required.
IP addresses are commonly described in one of three ways -

    1. Dotted Decimal (As described above)

 

    1. Binary (As a 32 bit binary number)

 

    1. Hexadecimal (Rarely used but can be seen when addresses are stored within programs or during packet analysis)



One important aspect of an IP address is that it is an hierarchical address. This has a number of advantages not least of which is the fact that it enables addresses to be aggregated together which greatly simplifies the mechanisms which are used to route traffic around the Internet.
In IPv4 there are 4.3 billion IP addresses available in theory and without this mechanism for route aggregation it would be necessary for Internet routers to know the location of each one of these connected devices.
The hierarchical system used by IPv4 is one which separates the IP address into two components, namely a network part and a host part.
In practice this "two component" system is further split down as the host part is frequently subdivided into even smaller subnetworks. In this post however we will limit or discussion to the "two component" system.

This term, "subnetwork", (often abbreviated to subnet) is one which is used frequently within the network engineering community to such an extent that it has become part of the jargon of the trade. This has only served to enhance its status as a term which has a great deal of complexity behind it but it is actually extremely simple. A subnetwork (subnet) is any subdivision of a larger network. It really is as simple as that.
The Two Component System / Network part and Host part

In order to make IP addresses hierarchical, a two component system has been created. This system splits the IP address into two parts known as The Network Part and The Host Part. This can be likened to a telephone number where (typically) the first 4 or 5 digits represent the town or city and the subsequent 6 or 7 digits represent the individual line.
The designers of this hierarchical addressing scheme created 5 classes of IP address by splitting up the full range of 4.3 billion addresses in a logical way. These 5 classes (or subdivisions) are known as Class A, B, C, D, and E networks.
For the purposes of this post we shall concern ourselves primarily with classes A, B and C however I shall briefly introduce each of the classes in the following section.
The 5 Network Classes
The image below depicts the 5 classes of IP Network as well as some of the basic features associated with each.

Screenshot_2

Class A - Class A networks were designed for use in networks which needed to accommodate a very large number of hosts.
As can be seen from the diagram, the first bit in a Class A address is always 0.
In each of network classes A, B and C, we can also see that the addresses are split into two parts, namely Network and Hosts.
These parts can be likened to the two parts of the telephone number described earlier.
The Network part is like the city code and the Host part is like the rest of the telephone number.
As you can see from the image, the division between the Network and Host part is set after the 8th bit. This means that we have 7 bits available to represent different Networks and 24 bits available to represent the individual hosts within each of the Class A networks.
It is clear therefore that, since the first bit must always be 0, the lowest network address available is 00000000.X.X.X (0 in decimal) and the highest network address available is 01111111.X.X.X (127 in decimal).
It would seem therefore that the range of addresses available to Class A networks is 0.X.X.X up to 127.X.X.X (Where X represents the Host part) but I shall demonstrate later that the 0 and 127 networks are reserved therefore the Class A address range runs from 1.X.X.X to 126.X.X.X in practice.

Class B - In Class B networks, the split between the network part and the host part happens after the 16th bit.
In any Class B network address the first two bits must always be set to 10. This leaves 14 bits to define the network number and allows addresses to range from 10000000.00000000.X.X up to 10111111.11111111.X.X .
These binary addresses equate in decimal to the first two Octets of Class B addresses ranging from 128.0.X.X up to 191.255.X.X
Class C - The pattern now emerging is that Class C addresses use the first 3 Octets to define the Network part of their addresses. Again, as with Class A and B networks some bits are permanently defined and in the case of Class C network addresses, the first 3 bits are always set to 110.
This means that we have 21 bits available to define the network part of Class C network addresses ranging (in binary) from 11000000.00000000.00000000.X up to 11011111.11111111.11111111.X which in decimal equates to 192.0.0.X up to 223.255.255.X

Class D - Class D (224-239) is reserved for Multicast Addressing and a post based explicitly on this addressing will be published ASAP and linked to from here. Class D addressing is beyond the scope of this post however if required please click this link for more detail. Class D Networks and IP Multicasting. .

Class E - Class E (240-255) is reserved for scientific experimentation and research and if any subsequent posts on this blog examine Class E networks, they will be linked to from here.

Continue reading
323 Hits
0 Comments